LANGLEY RESEARCH CENTEl 


3 1176 00501 6531 


: I /JAsA- 


DEMONSTRATION ADVANCED 
AVIONICS SYSTEM (DAAS] 
FINAL REPDRT 

CR-166281 
JANUARY 1982 



r 

> 

NASA-CR- 166281 


19830012670 



j 


Prepared Under Contract 
NAS2-10021 Phase I 

By 

Honeywell Inc. 
Avionics Division 
2600 Ridgway Parkway 
Minneapolis, Minnesota 5M13 


And 


King Radio Corporation 
400 North Rodgers Road 
Olathe, Kansas 66061 

For 


Ames Research Center 

National Aeronautics and Space Administration 

" n n ^ - T 




APR ^ 




LANGLEY RSSEARGM CENTER 
HAr,!PT0i\|, YiRQiN.'A 


Honeywell 


47873 



NF02338 






DEMONSTRATION ADVANCED 
AVIONICS SYSTEM (DAAS] 
FINAL REPORT 

CR-166281 

JANUARY 1982 

Prepared Under Contract 
NAS2-10021 Phase I 

By 

Honeywell Inc. 

Avionics Division 
2600 Ridgway Parkway 
Minneapolis, Minnesota 5^13 

And 

King Radio Corporation 
400 North Rodgers Road 
Olathe, Kansas 66061 

For 

Ames Research Center 

National Aeronautics and Sfiace Administration 


KING. 


Honeywell 

47873 


/./- 



This Page Intentionally Left Blank 



TABLE OF CONTENTS 


S©G*txori 


1 INTRODUCTION 1 

2 DEMONSTRATION ADVANCED AVIONICS SYSTEM (DAAS) 5 

2.1 DAAS Functional Description 5 

2.1.1 DAAS Functions 5 

2.1.2 DAAS Simulation Capability 8 

2.1.3 DAAS Controls and Displays 8 

2.1.4 DAAS System Architecture 14 

2.2 DAAS Hardware Description 17 

2.2.1 Computer Control Unit (CCU) 17 

2.2.2 Integrated Data Control Center (IDCC) 30 

2.2.3 Electronic Horizontal Situation 36 

Indicator (EHSI) 

2.2.4 DAAS Radio Adapter Unit (I^U) 39 

2.3 DAAS Evaluation 44 

2.3.1 Siammary of Results 44 

2.3.2 Simulator Description 48 

2.3.3 Pilot Evaluations 54 

2.3.4 Evaluation' Procedure 54 

2.4 Failure Mode .and Effects Analysis (FMEA) 67 

2.4.1 DAAS System Description 69 

2.4.2 Assessment of Compliance with FAR 69 

Requirements 

2.4.3 DAAS Failure Modes and Effects Analysis 77 

Results 

3 PROJECTED ADVANCED AVIONICS SYSTEM (PAAS) 89 

3.1 PAAS System Description 89 

3.1.1 PAAS Sensor Configuration 91 

3.1.2 PAAS Data Bus 95 

3.1.3 PAAS Computer Architecture 95 

3.1.4 PAAS Displays 96 

3.1.5 PAAS Servo Mechanization 98 

3.1.6 PAAS Power Mechanization 98 

3.1.7 PAAS Redundancy Management 98 

3.2 PAAS Reliability Analysis 99 

3.3 PAAS Cost Analysis 106 

3.4 PAAS Maintainability Analysis 111 

3.5 PAAS Modularity Analysis 114 

3.5.1 PAAS System Modularity 115 

3.5.2 PAAS Controls and Displays Modularity 117 


iii 



TABLE OF CONTENTS CConcluded) 

Section Page 


3.5.3 PAAS Hardware Modularity 119 

3.5.4 PAAS Software Modularity 121 

4 FABRICATION AND FLIGHTWORTHINESS TEST RESULTS 122 

5 INSTALLATION AND FLIGHT TEST 124 

5.1 Installation 124 

5.2 Flight Test 125 

5.2.1 Flight Test Schedule 125 

5.2.2 Ground Test 127 

5.2.3 Shakedown Flights 128 

5.2.4 "Certification" Flights 128 

5.2.5 Evaluation Flights 130 

6 CONCLUSIONS AND RECOMMENDATIONS 132 

6.1 Functional Capability 133 

6.2 Cost 135 

6.3 Reliability, Safety 135 

6.4 Maintainability 136 

6.5 Modularity 137 

GLOSSARY 139 

APPENDIX A - DAAS FAILURE MODES AND EFFECTS ANALYSIS 143 


iv 



LIST OF ILLUSTRATIONS 



Figure 


Page 


2-1 

Cessna 402B Cockpit 

10 

~ 

2-2 

Cessna 402B Control Panel Layout 

11 


2-3 

Cessna 402B Control Panel Layout CConcluded) 

12 

— 

2-4 

DAAS System Architecture 

15 


2-5 

DAAS System Diagram 

18 


2-6 

DAAS Flight Hardware 

19 


2-7 

DAAS Central Computer Unit 

20 


2-8 

DAAS Central Computer Unit Installation 
Drawing 

22 


2-9 

DAAS Processor Module 

23 

~ 

2-10 

DAAS Integrated Data Control Center (IDCC) 

31 


2-11 

IDCC Installation Drawing 

32 


2-12 

DAAS Electronic Horizontal Situation 
Indicator (EHSI) 

37 


2-13 

EHSI Installation Drawing 

38 


2-14 

DAAS Radio Adapter Unit (RAU) 

40 


2-15 

DAAS Simulator 

45 

— 

2-16 

Simulator Hardware Interfaces 

52 

r 

2-17 

Evaluation Scenario Chart 
(Minneapolis Local Victor Airway Chart) 

59 


2-18 

Minneapolis-St . Paul International 
RNAV Rwy 29 Right 

63 


3-1 

PAAS System Architecture 

90 


V 



LIST OF ILLUSTRATIONS (Concluded) 

Figure Page 

3-2 Skewed Sensor Geometry 93 

3-3 PAAS Panel Concept 97 

3-4 PAAS Manual Redundancy Management 100 

3-5 PAAS Maintenance Concept 112 

3-6 PAAS Modularity ' 116 

3-7 DAAS Processor Module 120 

5-1 Flight Test Schedule 125 


vi 



LIST OF TABLES 


Table Page 

2-1 NAVAID Data for Evaluation Scenario 61 

2-2 Waypoint Data for Evaluation Scenario 62 

2-3 DAAS Elements Failure Rates 79 

2-4 Summary of the DAAS Failure Modes and 83 

Effects Analysis 

2- 5 Failure Categorization of the DAAS Elements 87 

3- 1 Reliability Estimate for a Conventional System 101 

3-2 Reliability Estimate for PAAS 104 

3-3 Cost Estimate for a Conventional System 107 

3-4 Cost Estimate for PAAS 109 

5-1 DAAS Flight Test Matrix 126 

5-2 Individual Ground Tests 127 

5-3 Malfunctions Tested 129 

5-4 Airworthiness Testing 130 

5-5 System Comments 131 

5-6 Hardware Comments 131 


vii 



SECTION 1 
INTRODUCTION 


General Aviation serves an important role in transportation and 
in the Nation's economy. But operating procedures are compli- 
cated, regulations are restrictive, and the demands of the 
National Air Traffic Control CATC) system are increasing. All of 
these factors contribute to an increasing dependence on avionics 
and to a corresponding increase in their cost and complexity. 
Furthermore, such diverse considerations as safety, rising fuel 
costs, and the desire to improve single pilot IFR operation will 
stimulate the demand for even more avionics. 

To date, the avionics industry has been able to meet the increas- 
ing requirements for avionics at affordable prices by aggressively 
applying new technologies. The application of new technology has 
been along traditional lines, however, with integration occurring 
only in a few specific areas such as navigation/communication sys- 
tems and integrated flight director/ autopilot designs. Using 
this approach, the addition of more sophisticated capabilities — 
such as a performance computer, a pilot alert system, or a ground- 
proximity warning system — is expensive and cumbersome because 
of the need for separate computers, separate displays and controls, 
and signals from aircraft sensors that either do not have an ap- 
propriate output, or are not easily accessible. However, as a 
result of recent developments in microprocessors, busing, displays, 
and software technology, it may be possible to configure an inte- 
grated avionics system that is better suited for accommodating 
these future requirements. 


1 



In 1975, a research and development program was initiated within 
the National Aeronautics and Space Administration to determine 
the feasibility of developing an integrated avionics system suit- 
able for general aviation in the mid-1980s and beyond. The ob- 
jective was to provide information required for the design of 
reliable integrated avionics. This avionics was to provide ex- 
panded functional capability that would significantly enhance the 
utility and safety of general aviation at a cost commensurate 
with the general aviation market. 

The program has emphasized the use of a data bus, microprocessors, 
electronic displays and data entry devices, and improved function 
capabilities. As a final step, a Demonstration Advanced Avionics 
System (DAAS) capable of evaluating the most critical and promis- 
ing elements of an integrated system was designed, built, and 
flight tested in a twin-engine general aviation aircraft. 

A contract was awarded to Honeywell, Inc. , teamed with King Radio 
Corp. , in August 1978 for the design and fabrication of DAAS. 

The specific objectives were (1) to fabricate an integrated avi- 
onics system based on the information obtained in the investiga- 
tions described in the foregoing paragraph (2) to incorporate in 
this system a set of functional capabilities that will be bene- 
ficial to general aviation, and (3) to design the displays and 
controls so that the pilot can use the system after minimum train- 
ing. The system was installed in the Ames' Research Center's Cessna 
402B in June, 1981 at King Radio Corporation flight operations 
facility in Olathe, Kansas. Testing began in July, 1981 and con- 
cluded with NASA acceptance in October of 1981. After a ferry flight 
to Cessna-Wichita for a new interior, demonstration flights to the 
general aviation community were held in November, 1981 and hosted by 
King Radio. Further evaluation flight tests by guest pilots will be 

held at the Ames Research Center in early 1982. 

2 



The DAAS Program also includes definition and analysis of a pro- 
jected Advanced Avionics System (PAAS). PAAS extrapolates the 
DAAS concept of integrated, fault tolerant avionics to a poten- 
tial operational version for the mid-1980s. PAAS was analyzed to 
determine reliability, cost, etc., and impact of the DAAS concept 
in comparison to conventional architecture. The results are con- 
tained herein. 

This report documents the DAAS Program System Design, and 
includes the following: 

• DEMONSTRATION ADVANCED AVIONICS SYSTEM (DAAS) 

- DAAS Functional Description 

- DAAS Hardware Description 

- DAAS Operational Evaluation 

- DAAS Failure Modes Effects Analysis 

• Project Advanced Avionics System (PAAS) 

- PAAS Description 

} - PAAS Reliability Analysis 

- PAAS Cost Analysis 

- PAAS Maintainability Analysis 

- PAAS Modularity Analysis 

• DAAS Fabrication and Flightworthiness Test Results 

• DAAS Installation & Flight Test 

• Conclusions and Recommendations 

Additional detailed design information is contained in the following 
documents : 


3 



• 'Demonstrating Advanced Avionics System (DAAS) Functional 
Description, by Honeywell Inc. and King Radio for Ames Re- 
search Center, NASA. 

• 'DAAS-System Specification C?G 1210), ' January 1982, 

Hone 3 Twell Specification DS 28150-01. 

• 'DAAS Central Computer Unit (BG1135), ' January 1982, 

Honeywell Specification DS 28151-01. 

• 'EHSI (Electronic Horizontal Situation Indicator) JG12D4AA, ' 
January 1982, Hone 3 nvell Specification D538153-01 

• ' IDCC( Integrated Display and Control Center), DAAS 
HG1052AA,' January 1982, Honeywell Specification DS28154-01. 

• 'NASA-Hone 3 T(vell DAAS Radio Adapter Unit P/N 066-1083-00,' 

14 September 1979, King Radio Corp. Specification 001-5018-00. 

• 'Software Development Specification For Y61210 NASA DAAS 
Avionics System,' Hone 3 nvell Specification DS28152-01.- 


4 



SECTION 2 

DEMONSTRATION ADVANCED AVIONICS SYSTEM (DAAS) 


DAAS is the demonstrator system intended to physically demonstrate 
the characteristics of a fault tolerant integrated avionics sys- 
tem in a Cessna 402B aircraft. Following is description of the 
demonstrator system including functional description, hardware 
description, documentation of the DAAS operational evaluation 
conducted on the DAAS simulator, and documentation of the failure 
modes and effects analysis conducted to verify DAAS flight safety. 


2.1 DAAS FUNCTIONAL DESCRIPTION 

The DAAS is an integrated system. It performs a broad range of 
general aviation avionics functions using one computer system, 
and shared controls and displays. Following is brief description 
of the DAAS functions, controls and displays, and DAAS architec- 
ture. 

2.1.1 DAAS Functions 


• Autopilot - The autopilot is a digital version of the King 
KFC200 modified for compatibility with DAAS. The basic auto- 
pilot modes are : 

- Yaw Damper 

- HDG SEL (Heading Select) 

- ALT, ALT ARM (Altitude Hold, Altitude Arm) 


5 



- VNAV Coupled 

NAV ARM, NAV Coupled Control 

- APPR ARM, APPR Coupled Control 

o Navigation/Flight Planning - The navigation/flight planning funct- 
tion computes aircraft position with respect to an entered flight 
plan and data from the automatically tuned VOR/DME receivers. 

In the event of radio failure, dead- reckoning position (as de- 
termined from airspeed and heading) is estimated with respect 
to the entered flight plan. Other functions include: 

10 Waypoints, 10 NAVAID Storage 

- Moving Map Display 

- VOR/DME Data Validity Determination 

• Flight Warning/ Advisory System - DAAS includes extensive 

monitoring, with warning capability. For example, the DAAS 
system monitors engine performance (MAP, RPM), aircraft con- 
figuration (gear position, flap position, etc.) with respect 
to flight condition, and ground proximity and informs the 
pilot of undesirable situations. Monitoring includes: 

- Engine Parameter Monitoring Warning 

- Aircraft Configuration Monitoring, Warning 

- Airspeed and Stall Monitoring, Warning 

- Altitude Advisory Function 

- Marker Beacon Advisory Function 

- NAVAID Identification Monitoring 

- Autopilot/Flight Director Monitoring 

- BIT Fault Warning 


6 



• GMT Clock Function - The DAAS computer serves as a GMT 
clock. 

• Fuel Totalizer Function - Fuel flow is integrated to total- 
ize fuel used. 

• Weight and Balance Computations - Weight and center of gravity 
calculations can be quickly and conveniently determined using 
DAAS controls and displays. 

• Performance Computations - The DAAS system will determine 
fuel and time required to fly specific segment distances 
given altitude, temperature, wind data, and engine power 
setting. Performance computation functions are: 

- Takeoff Performance 

- Cruise Performance 

- Fuel/Distance/Time Computation 

• DABS (Discrete Address Beacon System) ATC Communication, 
Weather Reporting - ATC text messages (e.g. , CLIMB AND MAIN- 
TAIN 1200 FT) or weather information at destination can be 
communicated to the DAAS pilot via DABS data link and dis- 
played on the DAAS electronic display. 

• BIT (Built-in Test) - The DAAS system will detect and local- 
ize its own faults via BIT. Provisions are also included 
for troubleshooting the DAAS hardware through DAAS controls 
and electronic displays. 


7 



• Normal, Emergency Checklists - Normal and emergency check- 
lists are stored in the DAAS computer, and are available for 
display at the push of a button. 

These functions are managed via shared controls and displays, and 
performed in the common DAAS computer system. 

.2.1.2 DAAS Simulation Capability 

The DAAS system has the capability of simulating navigation and 
aircraft sensor signals on the ground. This provides the pilot 
with the ability to demonstrate, test or train on the navigation 
and flight control features of the system without flying the air- 
craft. 

All controls for this simulator are pilot accessable. By initializing 
to the conditions he desires, the pilot can enter and ''fly” his 
entire flight plan. System outputs in all but a few areas (such as 
full flow, RPM, MAP) will be identical to those found in flight. 

2.1.3 DAAS Controls and Displays 

The DAAS Cessna 402B aircraft contains — 

® Controls and displays necessary to manage DAAS functions. 

• Additional instr\iments necessary for IFR flight operations. 

• Independent safety pilot instrument installation. 

These controls and displays are layed out in the 402B control panel 
as indicated in Figures 2-1, 2-2 and 2-3. Cessna 402B Layout. The 
DAAS pilot is in the left seat, and the safety pilot in the right seat 


8 



Electronic displays — the Electronic Horizontal Situation Indi- 
cator (EHSI) and Integrated Data Control Center (IDCC) — are key 
elements of the panel. 

The EHSI presents a moving map display showing aircraft position 
with respect to desired course. The display is a 4.5-inch mono- 
chromatic Ball Brothers 103C CRT raster display unit. The dis- 
play unit has 256- by 256-dot matrix display capability. P43 
phosphor is used together with an appropriate narrow band optical 
filter to allow operation in bright sunlight. The EHSI is con- 
trolled by functional control buttons and a map slew controller. 

The Integrated Data Control Center (IDCC) is the pilot's primary 
means of interacting with DAAS. Included are a keyboard at the 
bottom of the unit and a set of function buttons along the top. 

The function buttons include a set of page select buttons which 
determine the information that is displayed on the IDCC display. 

The IDCC display CRT is identical to the EHSI; i.e., 4.5-inch by 
4.5-inch Ball Brothers monochromatic unit. The IDCC can display 
16 lines of 32 characters each. Line spacing is 0.25 inch, char- 
acter height is 0.162 inch, and character width is 0.125 inch. 

The IDCC is implemented with menu select buttons along each side 
of the CRT. 

Alternate approaches can be implemented to allow comparison during 
flight test. 

The DAAS EHSI is surrounded by the conventional "T" pattern of 
flight control instruments. 


9 




10 




VERTICAL SPEED INDICATOR 


IOC ENCODING ALTIMETER 
KAP 315 AUTOPILOT ANNUNCIATOR PANEL 
KCI 310 ADI 

WARNING/CAUTION LIGHTS 
DABS MESSAGE PENDING LIGHtV \ 

POI ILS SOURCE SELECT SWITCh)\ 

AIRSPEED INDICATOR 
EHSt 


ANGLE-OP-ATTACIC INDEXER 

MANIFOLD PRESSURE INDICATOR 
flPM INDICATOR 

FUEL FLOW INDICATOR 
E6T INDICATOR 


TELEDYNE ANGLE OF 
ATTACK INDICATOR 


OIL PRESS/TEMP 
INDICATORS 

AIRSPEED INDICATOR 

OAAS BATTERY TEMPERATURE MONITOR 

BATTERY TEMPERATURE ALERT PLACARD 
KG 258 ARTIFICAL HORIZON 
ALTHMETER 


Kt 226 RMI 

FUEL QUANTITY INDICATOR 

RMI SOURCE SELECT SWITCH 

ANGLEOF ATTACK HEATER 
SWITCH 


KA 51A COMPASS SLAVING CONTROL 
RC ALLEN TURN & SUP INDICATOR 

OXYGEN CYLINDER PRESSURE 
INDICATOR 

OUTSIDE AIR TEMPERATURE 
INDICATOR 



SUCTION GAGE 
VERTICAL SPEED INDICATOR 
KA 51A COMPASS SLAVING CONTROL 
KG 52SPNI 

TURN & BANK INDICATOR 
KMA 24 AUDIO PANEL 

NAV 3 RADIO 


COMM 3 RADIO 


CLOCK 

IDCC PAGE SELECT CONTROLS 
tOCC 

ALPHA NUMERIC KEYBOARD' 
GO-AROUNO SWITCH 
KMC 340 AUTOPILOT MODE CONTROLLER 
DAAS CIRCUIT BREAKER PANELS 


DAAS PILOT PANEL 


KMA 24 AUDIOPANEL 
KY 196 COMM TRANSCEIVER 
KY 186 COMM TRANSCEIVER 
KN 53 NAV RECEIVER 
KN 53 NAV RECEIVER 
KN 62A DME 
KN 76A TRANSPONDER 

DABS TRANSPONDER 
CONTROLLER 


SAFETY PILOT PANEL 


Figure 2-2. CESSNA 402B Control Panel Layout 



(^\DAAS POWER 

(LOCKING SWITCH) 



LEFT SIDE CIRCUIT 
BREAKER PANEL 



COCKPIT OVERHEAD PANEL 



(GUARDED) 



DAAS PEDESTAL PANELS 


Figure 2-3. CESSNA 402B Control Panel Layout 


12 





The ADI used in DAAS is the 4-inch King KCI 310 Flight Command 
Indicator. 

The altimeter is an IDC Encoding Altimeter type 519-28702-571. 

An altitude alert light is mounted on the altimeter. 

The rate-of-climb indicator provides vertical speed information 
to the pilot. The display presents rates of climb, or descent, 
in feet per minute. The face is 2-1/4 inches wide. 

The King KI 226 RMI displays heading and bearing to a selected 
VOR station. 

The DAAS Autopilot Mode Controller is located on the pedestal, 
and the Autopilot Mode Annunciator is located above the altimeter. 

DAAS engine instruments and radio stack are centrally located and 
are accessible to the DAAS pilot and the safety pilot . 

Unique DAAS switch controls located on the panel include : 

• NAV 1-DAAS/MANUAL Tune (located to the right of the NAV 1 
radio) 

• NAV 2-DAAS/MANUAL Tune (located to the right of the NAV 2 
radio) 

m DME SELECT (located to the right of the DME) 

• VOR source switch (located to the lower left of the RMI) 

• ILS source switch (located to the lower left of the ADI) 

NAV Receivers can be tuned manually (MANUAL) or automatically 
(DAAS). The DME SELECT switch allows the DME receiver to be 


13 



tuned by either NAV receiver 1 or 2. The DAAS position slaves 
the DME to the NAV receiver being controlled by DAAS. 

The safety pilot instrument set is independent from the DAAS 
instruments, and adequate for safe flight with DAAS inoperative. 

The safety pilot's Pictorial Navigation Indicator displays air- 
craft magnetic heading (gyro-stabilized), selected heading and 
selected course. Also, VOR and localizer course deviation, 
glideslope deviation and a TO-FROM indication are presented. 

The safety pilot's KG-258 artificial horizon is an air driven 
unit. It is the safety pilot's basic attitude/horizon reference 
indicator. 

Aircraft master power controls are centrally located overhead. 
Circuit breakers are located on the pedestal. 

2.1.4 DAAS System Architecture 

DAAS system architecture is presented in Figure 2-4. The archi- 
tecture is characterized by a modular computer system structure; 
i.e., multimicroprocessors interconnected by an IEEE 488 data bus. 
Each processor block in Figure 2-4, except for the radio system, 
represents an Intel 8086 16-bit microprocessor, 2k by 16 PROM 
memory, and 4k by 16 to 16k by 16 RAM memory. The radio System 
uses the Intel 8048 microprocessor. 

Each processor performs a function, and interfaces directly with 
the subsystems associated with that function. At power-on, the 
bus controller computer CPU-1 takes functional programs from the 
nonvolatile EEPROM memory, and sequentially loads each processor 
at the rate of approximately 1 second per processor. When all' 
processors are loaded, the bus controller activates the system. 


14 





Figure 2-4. PAAS System Architecture 











The bus controller then manages bus communications during normal 
operations . 

A portable TI Silent 700 cassette unit can interface with the bus 
controller to allow load or modifications of the functional soft- 
ware . 

Central Computer CCC) CPU 5 is a spare processor. If processor 
CC-CPU 3 or CC-CPU4 fails and the bus controller detects the failure, 

the bus controller will load CC-CPU 5 with appropriate software 
from the EEPR0I.1 memory, and CC-CPU 5 will then take over the function 
of the failed processor. (Note: This reconfiguration capability is 
especially important when an EHSI and an EADI are included in the 
PAAS system. With a failure in one display, the spare processor 
could be loaded to allow time sharing of the remaining good dis- 
play as both EADI and EHSI.) Such reconfiguration could be ex- 
tended to other processors such as CC-CPU 2, the autopilot. How- 
ever, for such reconfiguration the spare processor must interface 
with autopilot subsystems, which requires additional multiplexing 
of hardware. Reconfiguration was thus applied only to a limited 
degree in this demonstrator system. 


The DAAS architecture is modular. Functions can be added by add- 
ing necessary standard processor modules onto the 488 data bus, 
and interfacing these processor modules with the devices associ- 
ated with the new function. 

Six processors are contained in the DAAS Central Computer Unit. 
One processor is contained in the IDCC, and one processor is 
contained in the radio adapter unit. 


16 



2.2 DAAS HARDWARE DESCRIPTION 


DAAS system components, and their interconnections are depicted 
in Figure 2-5, DAAS System Diagram. Interconnection between the 
DAAS panel instruments, sensors, and the DAAS computer system is 
shown. The DAAS Central Computer obtains data from the radio sys- 
tem (radio adapter unit, radio stack), flight control sensors, 
engine instruments, configuration status sensors, and IDCC. 

Functional computations are performed on the input data and the 
results applied to EHSI, FDI, warning/ caution lights, and auto- 
pilot servos. 

Following is a description of new design DAAS flight hardware 
including : 

• Central Computer Units 

• IDCC 

• EHSI 

• Radio Adapter Unit 

The hardware is shown in Figure 2-6. 

2.2.1 Central Computer Unit (CCU) 

The CCU, Figure 2-7, consists of the following computer process- 
ing units (CPUs) and their associated I/O interfaces; 

• Autopilot CPU 

9 Bus Controller CPU 

• EHSI CPU 


17 



00 



Figure 2-5. DAAS System Diagram 


/ 


} 


1 


} 


I 





























Figure 2-6. 


DAAS Flight Hardware. From left to right 
Electronic Horizontal Situation Indicator 
Central Computer Unit, Radio Adapter Unit 
and Integrated Data Control Center. 


19 




o 


NAV CPU 


9 DABS CPU 
• Spare CPU 

In addition, the CCU contains a one mega-bit EEPROM memory and 
the regulated power supplies for the DAAS system. 

2. 2. 1.1 Mechanical — The CCU is packaged in a full ATR Chassis, 
The dimensions of which are given in the installation drawing 
shown in Figure 2-8. The chassis has been constructed to accept 
up to twenty-three 6.25 by 6.25 inch card assemblies plus four 
larger 10 by 6 inch card assemblies. All interconnections of the 
card assemblies are via a wirewrap mother board. 

2. 2. 1.2 CPU and Memory — Each CPU has been designed to fit on 
a single printed circuit” board card assembly as shown in Figure 
2-9. A CPU consists of the 8086 microprocessor, 4K by 16 of RAM 
memory, 2K by 16 of UV-EPROM, an 8259 programmable interrupt con- 
troller, and the IEEE-488 bus interface circuitry. In addition 
to the 8086 microprocessor IC, the processor also contains an 
8284 clock generator, bus buffer logic, and memory chip select 
logic. 

To facilitate software development, the 8086 is mounted in a 
quick-eject socket. This allows easy replacement of the 8086 
with an in-circuit emulator (ICE-86). The 8086 is operated at 
4 MHz by driving the clock generator with a 12 MHz crystal. This 
clock frequency was selected to be comptaible with the ICE-86 
which has a maximum limit of 4 MHz. 


21 




lecEHSs connector 
s AMPHENOL P/N 57-2OEM0-2 
\ MATE^ WiTH AMPHENOL C*>BLE 
\ P/H Noa-iom-aoj 

\ 



BOA' MOUNT F/ti jSE->0OO-O0a 



!! 

i 

I Figure 2-8. DAAS Central Computer Unit Installation 

j Drawing 















M-5 l'*5'«<«*>“’-'i.- W ■< 
fftf i' 


'irtIlL-5. . 




'"-'tM?P 






•iC *\%m»x 


b- 


^.; bt 

/;V S. 


H ' ' •"^'1 

A S 4 } 9 'i.i |T'^ 


ISr^^^rf" 


£ekmi 


35?SS5i^ 


Figure .2-9. DAAS Processor Module 


23 


Mmmmmimtmhti^ 





The 8259 programmable interrupt controller provides the capability 
for eight vectored interrupts. The IEEE-488 bus utilizes the 
highest priority interrupt with the rest of the interrupt lines 
connected to special functions associated with each processor. 

The IEEE-488 bus interface is implemented with the TMS9914 GPIB 
adapter and two bus transceiver ICs. The 9914 is a 40-pin LSIC that 
can be programmed to be a talker/listener or as a bus controller 
while meeting all of the requirements of IEEE-488. This feature of 
the 9914 allowed all of the CPUs to be designed identically. Communi 
cation between the 8086 and the 9914 is carried out via memory 
mapped registers. There are 13 registers within the 9914, 6 of 
which read and 7 write. These registers are used both to pass 
commands or data to, and to get status or data from, the device. 

There are 4K of RAM memory and 2K of UV-EPROM available on the 
CPU card assembly. An additional 4K or 8K of RAM memory is 
available with the memory expansion card assemblies. Memory ex- 
pansion card assemblies are provided for the autopilot, EHSI, 

NAV, and spare CPUs. Also provided on the memory expansion card 
assemblies is the I/O address decoding logic associated with that 
CPU. From a software standpoint, all of the I/O addressing is 
treated as memory mapped. 

2. 2. 1.3 DAAS Mass Storage Unit The Intel 2816 Electrically 

Eraseable Prom (EEPROM) is used for the nonvolatile mass storage 
of the CPU software programs and flight plans. This EEPROM memory 
system consists of two card assemblies containing 48 EEPROM devices 
with expansion capability to 64 devices . The mass storage is 
accessed using a bank select arrangement and gives the system a 
base of 786 K bits of storage with expansion to I megabit . 


24 


2. 2. 1.4 ecu Cassette Interface — Tape cassettes are used for 
initially loading the SEPROMs memory with the software programs 

for all of the CPUs. A PROM Utility Program in the bus controller CPU, 
allows the bus controller to read the ASCII data from the cas- 
sette, convert it to binary, and transfer the binary data to the 
EEPROM memory. A standard RS-232 interface is used between the 
bus controller CPU and the ASR733 data terminal with dual cas- 
settes. This RS-232 interface, along with additional EEPROM 
bank select', decoding, is contained on the cassette and, EEPROM 
memory I/O card assembly. 

2. 2. 1.5 Display Controller — Two ALT 512 graphics display con- 
trollers are used to generate the video signal for the EHSI. Each 
ALT 512 contains its own 131,021-bit refresh memory, TV sync, and 
video generator. The display field for each ALT 512 consists of 
two 256 by 256 by 1 planes. The two-plane arrangement allows 
eight different display formats. The mode of operation selected 
for the EHSI is to display one plane while the EHSI CPU erases 
and updates the other plane. Two ALT 512s are required to in- 
crease the throughput on the EHSI. The display information that 
requires faster updating is programmed in one of the ALT 512s 
while the slower information, which is updated at a slower rate, 
is programmed in the other ALT 512. The two ALT 512s are operated 
with one as the master, and the other as the slave (i.e. the slave 
receives its video clock and sync timing from the master). The 
combined video output is then transmitted to the EHSI CRT monitor. 

The ALT 512 utilizes a standard S-100 bus for all of the I/O 
interfaces. In order to provide the reconfiguration capability 
of letting either the EHSI CPU or the spare CPU drive the EHSI, 
the multiplexing of the address, data, and control lines from 
these CPUs to the ALT 512s must be provided. This multiplexing 


25 


circuitry is provided on the memory expansion cards associated 
with those CPUs. Control of which CPU is driving the EHSI comes 
as a discrete output from the bus controller CPU. 

2. 2. 1.6 ecu DABS Interface ■— Both the standard message (SM) 
interface and the extended length message (ELM) interface have 
been implemented for communication between the DABS transponder 
and the DABS CPU. The SM interface consists of a gated clock 
controlled by the transponder, and a bidirectional data line for 
serial transmission of data. For up-linking of information, 
data received from the transponder is converted from serial to 
parallel and stored in a 16 by 8 buffer memory. Upon receipt of 
a complete COMM-A message, an interrupt is generated to the DABS 
CPU which causes this CPU to read the contents of the buffer 
memory. For down-link information, the reverse process is re- 
quired. The DABS CPU loads a 16 by 8 buffer memory and then sets 
the B-bit in the SM interface format . Upon receipt of a COMM-B 
message to the transponder, the data is converted from parallel 
to serial and transmitted to the transponder. 

The ELM interface is a full duplex, synchronized serial binary 
data interface in accordance with RS-449. The following inter- 
face circuits are provided: 

ST - send timing (from transponder) 

SD - send data (to transponder) 

RS - request to send (to transponder) 

CS - clear to send (from transponder 
RT - receive timing (from transponder) 

RD - receive data (from transponder) 


26 


DM - data mode (from transponder) 

15 - terminal in service (to transponder) 

All of these interface circuits are bipolar, balanced circuits 
that operate at voltage levels and impedance levels as specified 
in RS-422. Operation of the ELM interface is similar to the SM 
interface except that the buffer memory is 256 by 8. This allows 
16 COMM-C or COMM-D segments to be received or transmitted as a 
block respectively. The transponder takes care of all the COMM-C 
and COMM-D decoding and downlink message initiation. The circuit- 
ry required to implement the SM and ELM interfaces is contained 
on the DABS SM card assembly and the DABS ELM card assembly. 

2. 2. 1.7 ecu I/O Interface — With the exception of the previously 
discussed interfaces, all of the I/O devices (aircraft sensors, 
engine monitors, mode control panels, etc.) interfaces directly 
with the autopilot CPU. This I/O interface provides the capabil- 
ity for: 

48 discrete inputs 

48 discrete outputs 

64 analog inputs 

16 analog outputs 

ecu Discrete I/O — The discrete inputs are multiplexed into 
4 words of 12 bits each before being read by the autopilot CPU. 

One of the discrete input words is reserved for self test (wrap- 
around) of the flight critical discrete outputs. Each discrete 
input is signal conditioned and prefiltered (0.8 msec, time con- 
stant) before being multiplexed to a comparator to determine its 
logic state. 


27 


The discrete outputs are organized into 3 words of 16 bits each. 
The discretes are stored in three 16-bit registers which are 
written into directly from the autopilot CPU. The outputs of 
these registers are buffered with high voltage open collector 
drivers, thus providing either an open or ground. The majority 
of the discretes are used for annunciation and the drivers tie 
directly to 28-volt lamps. The autopilot clutch engage and the 
auto-trim discretes require additional drive capability. This is 
provided with a discrete transistor stage added to the regular 
drivers . 

The discrete input circuitry and the discrete output circuitry 
for 16 of the outputs is contained on the discrete I/O card 
assembly. The circuitry for the rest of the discrete outputs 
including the special drivers is contained on the discrete out- 
put card assembly. The real-time clock is also included on this 
card assembly. The real-time clock is a counter running from the 
autopilot CPU crystal controlled clock. It generates an inter- 
rupt 40 times per second to the autopilot, NAV, IDCC , spare and 
bus controller CPUS. 

ecu Analog Inputs — Four DG 506 16-channel multiplexers are 
utilized to allow up to 64 analog inputs to be multiplexed to a 
12-bit (11 bits + sign) A/D converter. Each analog input is sig- 
nal conditioned, scaled, and prefiltered prior to the multiplexer. 
The AC signals are demodulated using an LF-198 sample-hold IC 
with the sampling synchronized to occur at the peaks. A frequency 
to voltage converter is used for signal conditioning of the true 
airspeed signal. 

The A/D converter and 32 channels of multiplexing are contained 
on the ADC and MUX card assembly. The A/D converter is a 


28 



successive approximation type converter with a conversion time of 
32 microseconds, including multiplex and settling time. The con- 
verter is composed of a 562 type D/A converter and two 8-bit 2503 
successive approximation registers. The input scaling is setup 
such that ±10 volts at the input to the A/D converter corresponds 
to full range. The additional 32 channels of multiplexing is 
contained on the DC Inputs and MUX card assembly. 

Also contained on this card assembly is the signal conditioning 
(differential buffer amplifiers and prefilters) for the dc inputs. 
The ac input card assembly contains a Scott-T transformer for con- 
verting the heading synchro signals to sin and cosine, second- 
order prefilters for the pitch and roll attitude signals, and the 
demod amplifiers for converting these ac signals to dc. The yaw 
servo amplifier, the pitch and roll command bar amplifiers, the 
VNAV deviation indicator drive circuitry, and the true airspeed 
frequency to voltage converter are also contained on this card 
assembly. 

ecu Analog Outputs — Each analog output consists of an LF-198 
sample-hold which is updated from a 12-bit D/A converter. Of the 
16 analog outputs provided, 8 are used for inflight recording, 3 
for the pitch, roll, and yaw servo amplifiers, 1 each for pitch 
command bar, roll command bar, and VNAV deviation, and the other 
two are spares. The D/A converter is a 562 type that is operated 
in the bipolar mode with a signal range of ±10 volts. The D/A 
converter, 16 sample-holds, 16-channel decoding, and the pitch 
and roll servo amps are all contained on the DAC and Servo Amp 
card assembly. 

2. 2. 1.8 ecu Power Supplies — All power for the CCU and the IDCC 
is generated from the aircraft +28 Vdc bus. An Abbott BNIOOO 


29 


power module is used for the +5-volt supply. This dc-to-dc con- 
verter uses a pulse width modulated inverter switching at 18 to 
20 kilohertz to achieve an efficiency up to 70 percent with out- 
put capability to 20 amps. Similarily, an Abbott BBN500 power 
module provides a dual output ±15-volt supply. This supply has 
an output current capacity of 1.67 amps on each output. 

The ALT-512 require +12 V dc which, is supplied from a linear 
regulator operating from the +15-volt supplies. All of these 
supplies require approximately 10 amps from the 28-volt bus. 

2.2.2 Integrated Data Control Center (IDCC) 

The IDCC, Figure 2-10 , consists of two basic assemblies: the CRT 

monitor assembly, and the chassis assembly. The over-all dimen- 
sion of the IDCC are shown in Figure 2-11. The CRT monitor assem 
bly is mounted in the IDCC chassis assembly which, in turn, is 
mounted in the aircraft . 

2. 2. 2.1 CRT Monitor Assembly — The CRT monitor assembly is a 
standard, solid state, monochromatic television monitor designed 
for avionics display applications. The monitor is 7.7 inches 
wide, 6.0 inches high, by 11.0 inches deep. It is a raster type 
monitor capable of 525 lines with a 2:1 interface at 30 frames 
per second, or a non-interlaced 262-line field at 60 fields per 
second. The latter is used in this application. The monitor is 
designed with P-43 phosphor and a narrow bandpass optical filter 
to produce a sunlight readable display. The display area is 4.5 
by 4.5 inches. 

2. 2. 2. 2 IDCC Chassis Assembly — The IDCC chassis assembly con- 
tains the following subassemblies in addition to the CRT assembly 


30 







MOUNTING SHELF FLUSH 
WITH LOWER EDGE OF 
.PANEL OPENING 





Figure 2-11 


iLOOO 


h-.50 


-.J*0-E4UNC-2B 
5 HOLES 


PECOMMEWOEP MOUNTtNG PIMENStOMS 




IDCC Installation Drawing 


• CPU and memory 

• Keyboard 

• Pushbutton switches 

• Touchpoint switches 

• Miscellaneous controls 

IDCC CPU and Memory — The IDCC contains its own central pro- 
cessing unit (CPU) and associated memory. The CPU is an 8086 
16-bit microprocessor. The memory consists of 16K by 16-bit RAM 
and 2K by 16 bit ROM. The RAM is used for both program memory 
and scratchpad memory, and the ROM is used to store the initial- 
ization programs. The CPU, together with 4K of RAM and the bus 
interface circuitry, is packaged on one card. A second card con- 
tains 8K of RAM. A third card contains 4K of RAM. The fourth 
card contains the CRT refresh memory and the I/O circuitry. 

The CPU, together with its memory, performs the following 
functions : 

• Message storage. 

• Message formatting. 

• Output of messages to display refresh memory. 

• Scanning of switches and touchpoints. 

• Outputting and receiving intercommunications with the 
Central Computer Unit over the IEEE 488 bus. 

IDCC CRT Refresh Memory — Since the CRT monitor has no memory, 
it must be re-refreshed at the 60-Hz field rate. A CRT controller 
circuit is used to accomplish this function. This circuit accepts 
data from the CPU defining the alpha-numeric characters to be 


33 


displayed on the CRT display. It then outputs the appropriate 
video signals to the monitor to display these characters at the 
60-Hz field rate. The display field consists of 16 lines of 32 
characters. 

IDCC Switch Scanning — The IDCC provides for scanning of the 
switches and touchpoints on the IDCC as well as the switches on 
the EHSI. The switches on the IDCC consist of the pushbutton 
switches (mode and page select) located across the top of the 
IDCC, the keyboard switches, the forward and back page switch, 
the message acknowledge switch, and the light touchpoints. The 
switches on the EHSI consist of the nine switches used for EHSI 
control, and the eight switches used for slewing the display and 
cursor. The switches are scanned and debounced using IC hardware 
The results of the scanning are entered into the CPU via memory 
mapped I/O and vectored interrupts. 

IDCC Keyboard — The IDCC keyboard is mounted at the lower 
left corner of the IDCC. It projects outward and downward at 
approximately a 30-degree angle for ease of operation. The key- 
board consists of 20 keys arranged in a four horizontal by five 
vertical matrix. 

It should be noted that the keyboard has full alpha-numeric capa- 
bility. Numeric entry requires only pressing one key. Alpha 
entries, however, require two key entry. Each key has three 
alpha characters in addition to the one nvimeral. The alpha char- 
acters are entered by first pressing the key with the triad of 
alpha characters that includes the desired character and then 
pressing one of the post designation keys, in the bottom row, to 
select left, middle, or right alpha character of the triad. 


The keyboard is back lighted for night operation. 


Pushbutton Switches — The IDCC has 18 pushbutton switches 
located across the top to the unit.- In the current mechanization, 

16 of the 18 pushbuttons are used. 

The pushbuttons are backlighted for night operation. One push- 
button (AUTO SEQ SEL) incorporates a green light indicator. The 
green light is on when the auto-sequence mode is active. 

IDCC Toughpoints — The IDCC incorporates touchpoints that are 
used to interact with the CRT display. 

This normal touchpoint configuration is implemented with eight 
individual switches located in the bezel of the CRT display. 

IDCC 488 Bus Interface — The IDCC communication with the central 
computer unit is over the IEEE 488 bus. The bus interface module 
(BIM) used in the IDCC is the same as that used in the central com- 
puter. It utilizes the TMS9914, IEEE 488 bus controller IC. 


35 


IDCC Power Requirements — The CRT monitor portion of the IDCC 
requires 60 watts maximum of 28 volts dc power, 28 VDC. The 
chassis portion of the IDCC requires approximately 2 amps of +5 
volts dc. The only other power required by the IDCC is the 
switch lighting power derived from the 28-volt dc. 

2.2.3 Electronic Horizontal Situation Indicator (EHSI) 

The EHSI, Figure 2-12, consists of two basic assemblies - the CRT 
monitor assembly and the EHSI controls assembly. The overall 
dimensions of the EHSI are shown in Figure 2-13. 

2. 2. 3.1 EHSI CRT Monitor Assembly — The CRT monitor assembly is 
idential to the IDCC CRT monitor assembly. For a detailed descrip- 
tion of the CRT monitor assembly refer to paragraph 2.1 of this 
report. 

2. 2. 3. 2 EHSI Controls Assembly — The EHSI controls assembly 
consists of a face plate, nine pushbutton control switches, and 
a slew control switch subassembly. 

EHSI Pushbutton Switches — The current mechanization uses 
eight of the nine available pushbutton switches. The pushbutton 
switches are white lighted for night viewing. In addition, green 
lighting is provided for mode annunciation. The heading-up/ 
north-up map orientation select switch, the MAP REVU-switch and the 
map slew or cursor slew select switches are split legend annunciators 
Either the top half or bottom half may be lighted green to indicate 
the mode selected. All other switches are full legend annunciations. 
Since the map return is a momentary mode, the green annunciator is 
not used on this switch. 


36 



a'-i- 



RECOMMENDED MOUNTING DIMENSIONS 



Figure 2-13. EHSI Installation Drawing 




All switch actions are momentary. The mode latching is done in 
the IDCC CPU. As discussed in paragraph 2. 2. 2. 2, these switches 
are scanned by the IDCC CPU. The IDCC, CPU also controls the 
annunciator lighting. 

EHSI Slew Control Switch — The slew control switch consists 
of a single lever. The lever is mechanically constrained so that 
either horizontal or vertical movement only is allowed. The lever 
is spring loaded to the center off position. The lever actuates 
one or two switches in each of the four directions, up, down, left, 
or right. The first switch activation causes a slow slewing effect, 
the second causes a fast slewing effect. 

2.2. 3. 3 EHSI Power Requirements — The CRT monitor portion of 
the EHSI requires 60 watts maximum, 28-volts dc power. The con- 
trol switch portion requires only the signal level scanning power 
from the IDCC CPU. Nighttime lighting and annunciator lighting 
power for the switches is derived from the IDCC. 

2.2.4 DAAS Radio Adapter Unit (RAU) 

The following functions are performed by the RAU, Figure 2-14. 

- Tune the radios as commanded by the DAAS computer 

- Process VOR/LOC/CS data from NAV 1 and NAV 2 

- Process station identifiers 

- Process DME distance 

- Generate a radio system status word 

- Format the data for block transfer 


39 



40 





- Exchange information with the DAAS computer via the 
IEEE 488 bus 

In addition to interfacing with the radio units, the RAU also 
interfaces with — 

- 28-V dc aircraft power 

- KMA 24 audio panel (with KA 35A) 

- KCI 310 ADI (through ILS source switch) 

- KI 226 RMI (through the VOR source switch) 

- DME channeling switch and ILS source switch 

- DAAS/Manual status switch for each NAV receiver 

The DAAS system RAU uses a microprocessor system for a flexible 
interface for control and data processing. The interface ex- 
changes data on the 488 bus using standard talker/listener func- 
tions and handshaking protocol. Also, the system monitors the 
radios, retaining and refreshing a defined data block for the 
data exchange process. 

The processor sends the proper tuning commands to the radios, 
processes the received position data and transfers this data in 
block format to DAAS. The data block transfers occur at a fixed 
rate of approximately 20 updates per second as required by the 
bus controller. 

The radio adapter unit will exchange data over the IEEE 488 bus. 
A dedicated general purpose interface buffer (GPIB) will handle 
the standard talker/listener protocol for transferring data. 

Data will be stored in a buffer to eliminate slowing down the 


41 


processor. Bus setup time is <_ 45 ys and data transfer rate is 
<_ 15 us per byte. 

NAV 1 and NAV 2 provide a video composite with either VOR or LOG 
information modulated onto the 9960-Hz subcarrier. The interface 
circuit identifies what type of information is present, demodu- 
lates the composite, and digitizes the result. The VOR/LOC data 
from NAV 1 and NAV 2 can also be displayed on the KI 226 and the 
KCI 310 indicators. The specific display mode is a function of 
the status switches. 

Glideslope information is also available from the KN 53 Naviga- 
tion Receivers. The signal will be conditioned in the interface 
for digital conversion. The digitized data will then be processed 
and maintained in the data block for transfer to DAAS. As with 
VOR/LOC, glideslope information can also be displayed on the KCI 
310 Indicator. The program will select the navigation unit to be 
displayed when in the DAAS mode. 

To validate active channels of the navigation radios, the identi- 
fiers will be read electronically, converted to the ASCII equiva- 
lent of the received Morse code, and stored as part of the data 
block. 

The similarity in tuning procedure for the KN 53 and KY 196 allows 
a common method of tuning these radios. The interface simulates 
the actions of the front panel rotary knobs by closing increment/ 
decrement switches electronically to change frequency. The 
standby frequency only is affected by the tuning switches. To 
change the active channel, standby is turned to the selected 
frequency, and an active/standby exchange is executed. The approx 
imate worst case tuning time for a KY 196 or KN 53 to sweep full 


42 


band is 250 milliseconds. To execute an active /standby exchange, 
approximately 50 milliseconds is required. The hardware for 
tuning the KY 196 receivers is included in the RAU, but not the 
necessary software. 

The KN 62A can be tuned by DAAS NAV 1 or NAV 2 through a common 
bus. Then the DAAS mode of tuning is enabled at the DME, one of 
these three sources will supply the DME tuning data. The DME 
channeling switch then enables the desired tuning source. The 
KN 62A tuning format is the 2 by 5 code. Approximately three 
seconds are required to tune the KN 62A and acquire valid 
distance. 

To verify the auto tuning function, or to read the DME channel, 
data is read from the internal tune bus. This data is serial BCD 
information. A sync and clock are available to strobe this data 
into the interface. 

The following switches are used by the pilot for radio system 
mode selection: 

Manual /DAAS 
Manual /DAAS 
NAV 1/DAAS/NAV 2 
NAV 2 /DAAS /NAV 2 
NAV 1/NAV 2 

Complete pilot in a manual mode of operation is assured by the 
Manual position of the switches. 

Range information from the KN 62A is 18 bits of serial BCD data. 

A synchronous clock is provided to shift the data into the inter- 
face for processing. The microprocessor will convert this data 

43 


NAV 1 
NAV 2 
DME 

ILS Source 
VOR Source 


to a 15-bit binary word (LSB = 0.02 NM) and maintain the current 
distance code in the data block. 

2.3 DAAS SIMULATOR EVALUATION : 

Pilot evaluation of the DAAS functional configuration has been 
conducted on the DAAS flight simulator, Figure 2-15. Extensive 
refinement of the functional configuration has resulted. Follow- 
ing is a description of the simulator evaluation program and the 
evaluation results. 

2.3.1 Summary of Results 

A simulator program was conducted with the objective of deter- 
mining areas where system improvement might be accomplished. 
Specific system improvement proposals were identified and dis- 
cussed by the simulator pilot subjects and the DAAS system engi- 
neers. Changes were defined based on both their desirability and 
their effect on DAAS complexity. 

System improvements are those changes which would enhance the 
operational acceptability of the DAAS pilot /system interface. An 
iterative approach to the simulator program allows the verifica- 
tion of the DAAS functional performance, including improvements 
as they are defined. 

Simulator program change proposals were judged in light of the 
over-all objectives of DAAS; i.e., improve the safety and depend- 
ability of general aviation IFR operations without increasing 
pilot proficiency requirements or the cost of the avionics. 




Two General Aviation pilot evaluations were conducted during the 
development of DAAS , and in addition, NASA Research Pilot Gordon 
Hardy examined DAAS frequently during DAAS development. 

The first evaluation was conducted in October 1979, Three 
General Aviation pilots participated. The three pilots were: 

J. Lindberg, Instrument Flight Training, a Division of Van Dusen; 
R, Albertson, representing King Radio; and W. Unternaehrer , 
Honesnvell Avionics Engineering. All three have airline type 
pilot ratings, although they have never flown for an airline. 

Two pilots, Lindberg and Albertson, are designated FAA Flight 
Examiners. 


A four hour system briefing was conducted followed by one hour of 
simulator time for each evaluation pilot. Following this exposure 
to the system, a four hour debrief and discussion was conducted 
on all functions examined in the simulator. Comments were favor- 
able, and a number of DAAS features were considered excellent. 

For example, the capability of map slewing and automatic waypoint 
generation received high ratings. The evaluation results were 
positive for the most part, though some concerns were pointed out. 
An example of a concern was the effectiveness of touchpoint data 
entry both on the ground and during flight. The problem centers 
around inadvertent entries and concern for difficulty making data 
entries during flight turbulence. 

There were thirty-five pilot comments made regarding suggestions 
for improvements to the DAAS. Many of these have subsequently 
been incorporated. 


46 


The second evaluation was conducted on March 1980. Four General 
Aviation pilots participated. The four pilots were: D. Rodgers, 

King Radio; R. Albertson, King Radio; W. Unternaehrer , Hone37well; 
and Larry Peterson, Honeywell. A detailed briefing was per- 
formed. The pilots then flew a scenario (see paragraph 2.3.2, 
scenario) in the simulator which required input of initial data, 
navigation data, checklists, interaction with EHSI and autopilot. 
Man Machine Science specialists monitored each pilot in his per- 
forming the scenario. Questions and comments of a human engineer- 
ing nature were recorded. Following the flights each pilot filled 
out a questionnaire. The combination of close monitoring during 
the scenario flight, the questionnaire data, and individual pilot 
debriefs provided comprehensive evaluation of the DAAS. This in- 
formation has been assessed and the results are discussed in 
section 3 of this report. 

The evaluation participants were generally enthusiastic about the 
DAAS concept and functional configuration. Access to data was 
considered to be significantly enhanced. Navigation, with stored 
data base and map display, was considered to reduce pilot work- 
load and improve pilot capability in the terminal area. DAAS 
capabilities to support good pilot practices in weight and bal- 
ance computations and take-off performance computation, as well 
as DAAS precise navigation capability, were judged to potentially 
improve general aviation flight safety. 

Evaluators generally agreed that (1) DAAS type systems can pro- 
vide greatly expanded functional capabilities, and (2) minimizing 
complexity and optimizing the pilot system interface is a major 
challenge . 


47 



2.3.2 Simulator Description 


2. 3.2.1 General Purpose Facility — The DAAS simulator is a 
general purpose facility consisting of the following primary 
components: 

• Data General Eclipse S/200 CPU 

• Data General Nova 3/12 CPU 

• 16-bit parallel DMA between above CPUs 

a Datel System 256 Hybrid I/O Unit with 32 D/A and 64 A/D 
channels 

• Discrete I/O with 16 inputs and 16 outputs 

• Megatek MG552 Graphics Generator Unit 

• Pace 231R Analog Computer 

The Nova 3/12 CPU and Megatek graphics unit generate multiplexed 
alphanumeric and graphic formats with associated blanking signals 
to drive two independent direct-draw CRT displays. Other digital 
simulation tasks and hybrid I/O are performed by the Eclipse S/200. 

2. 3.2. 2 DAAS Simulation Hardware — The fixed base mockup of the 
pilot's control station includes seat, instrument panel, flight 
controls, and engine controls configured to the approximate dimen- 
sions in a Cessna 402. Since outside visual scene generation was 
not available, only IFR flight conditions were simulated. 

Functional Controls — The following pilot controls are func- 
tional in the simulator: 


48 . 



• Ailerons and Elevator — Spring centered control wheel with 

hydraulic dampers on each axis. 

• Rudder — Spring centered pedals. 

• Elevator Electric Trim Switch — On control wheel. 

• Flap Position. 

• Autopilot Mode Control — King KMC 340. 

• Control Wheel Steering Switch — On control wheel. 

• Autopilot Dximp Switch — On control wheel, 

a Go-around Switch — On left throttle grip. 

• Throttle — Left lever functional, 
o RPM — Left lever functional. 

• Mixture — left lever functional. 

• Gear Switch. 

• IDCC Touch Panel — Eight touch points. 

• IDCC Function select Keys — 18 keys. 

• IDCC Alphanumeric Keypad — 15 keys. 

• IDCC Enter and Backspace Keys. 

• EHSI Cursor Slew Control 


49 



Functional Displays — The following pilot displays are func- 
tional : 

• ADI — King KCI 310 

• EHSI — 4 X 5-inch direct draw CRT (Tektronix Mod. 608) 

• IDCC — 4 X 5-inch direct draw CRT (Tektronix Mod. 608) 

• RMI — King KI 581 

9 Mode Annunciator — King KAP 315 

• Airspeed Indicator — 2.75-inch meter with 250-deg. pointer 
range 

• Baro Altimeter — three pointer DC servo drive 

• Vertical Speed — 250-deg, 2.75-inch meter 

• Manifold Pressure - 250-deg, 2.75-inch meter 

• RPM — 250-deg, 2.75-inch meter 

• Fuel Flow — 250-deg, 2.75-inch meter 

• Aircraft Clock 

• Master Caution and Warning Lights 

The KI 581 Radio Magnetic Indicator, listed above, is similar 
in appearance to the KI 226 , and was recommended by King Radio 
for use in the simulator. Simulated IDCC and EHSI displays dif- 
fer from the 4.5-inch-square displays with in-raster symbol gener- 
ation in DAAS. The simulator facility is currently limited to 
direct-draw display generation. Tektronix 608 Monitors 
approximate the planned for use in DAAS. The simulator facility is 
currently limited to direct-draw display generation. Tektronix 
608 Monitors approximate the planned DAAS display dimensions to 
within 0.5 inch, and can be driven by the X, Y, Z, and blanking 


50 



outputs produced by the facility's existing graphics generator unit 
Touch points were also implemented differently. The simulator used 
optical beams superimposed on the face of the IDCC screen. The 
DAAS system was mechanized using switches located on the bezel of 
the IDCC. This modification was made as a result of recommendation 
from the simulator. 

Installation of one King KY 196 Comm Transceiver and a KT76A 
Transponder in the simulator is included to provide the means for 
exercising these functions in the pilot's procedural sequence. 

Labeled paste-ups of all remaining indicators are included on the 
simulated instrument to demonstrate DAAS and backup pilot panel 
layouts. 

Simulator Hardware Interfaces — Figure 2-16 summarized inter- 
faces between the facility computers and control/display devices. 
The analog computer is used only for gain and null settings on 
proportional controls and DC-meter panel instruments. 

2. 3. 2. 3 DAAS Simulation Software — Software was developed 
for digital simulation of the following system and environmental 
components : 

• Aircraft and engine 

• Flight control system 
o Mean wind and gusts 

• Ground navigation 

• Navigation algorithms 

• Sensor outputs 


51 



TERMINAL 

DISC 

MAG TAPE 

LINE 

PRINTER 


TERMINAL 

DISC 



THROTTLE. RPM, MIXTURE. 
AND FLAP CONTROLS 


AILERON. ELEVATOR. RUDDER. 
TRIM. AND GEAR CONTROLS 


PANEL INSTRUMENTS 


PANEL INSTRUMENTS 


HSI CURSOR CONTROL 
AND FCS MODE SWITCHES 


ANNUNCIATOR LIGHTS 
AND INSTRUMENT FLAGS 


IDCC KEYS AND 
TOUCH PANEL 


IDCC AND EHSI 
DISPLAYS 


Figure 2-16. Simulator Hardware Interfaces 


52 




« IDCC functions, paging and display formats 
« EHSI display formats 

• System failures and other unplanned events 

Digital Program Description — The digital program is divided 
into a set of modules or subroutines, all sharing a common data 
base. This data base consists of two arrays: one real array 

consisting of up to 1000 real variables, and the second an in- 
teger array consisting of up to 500 integer or logical variables. 
Each element of the arrays is equivalenced to a mneumonic of six 
letters or less. The following software subroutines are included: 

ARPLN — Aircraft equations of motion 

LACL — Lateral axis control law 

PACE — Pitch axis control law 

ENGIN — Engine model 

MODSL — Mode select logic 

ADC — Analog to digital converter 

SERVO — Servo model 

DISIO — Discrete input /output processing 

SNMOD — Sensor model 

ALTHLD — Altitude hold model 

NAVCM — Navigation computations 

SERIO — Serial input/output processing 

IDCC - IDCC display processing 

EHSI — EHSI display processing 

INSTR — Instrumentation signal processing 


53 



All subroutines are called by an executive routine which also 
controls system timing by utilizing an interrupt driven real time 
clock. 


2.3.3 Pilot Evaluations 

Several Indices were used to assess the pilots' responses to the 
DAAS system simulation. These included observation of the pilots 
during the actual simulation exercise, as well as a paper-and- 
pencil questionnaire and informal debriefings following each ses- 
sion. The combination of these evaluation techniques yielded a 
relatively comprehensive assessment of the pilots' impressions of 
DAAS. 

2.3.4 Evaluation Procedure 

The DAAS evaluations consisted of four elements: 

1. Pilots were briefed on the DAAS system and the aspects of 
it that were to be evaluated. 

2. Pilots then flew the simulator following a scenario for a 
planned flight of approximately 15 to 20 minutes. 

3. Immediately following the simulator exercise, each pilot 
filled out a questionnaire while elaborating verbally 

on their responses. 

4. Debriefing by means of an informal, on-going discussion 
with one or more pilots present completed the evaluation 
procedure. 


54 



2. 3.4.1 Briefing of Subjects — Briefings were given to the DAAS 
evaluation pilots who were not directly associated with the de- 
sign of DAAS. These briefings emphasized the functional charac- 
teristics of DAAS and the particular aspects that were to be 
evaluated. 


The briefings followed the outline as follows: 

1. Objectives of DAAS 

2. Description of Controls and Displays 

2.1 Airspeed Indicator 

2.2 Attitude Director Indicator 

2.3 Mode Annunciator Panel 

2.4 Altimeter 

2.5 Altitude Rate Indicator 

2.6 Electronic Horizontal Situation Indicator and Controls 

2.7 Engine Instruments 

2.8 Integrated Data Control Center 

2.8.1 Display 

2.8.2 Touchpoints 

2.8.3 Page Select Buttons 

2.8.4 Navigation Buttons 

2.8.5 Keyboard 

2.9 Caution and Warning Lights 

2.10 Autopilot Control Panel 

2.11 Miscellaneous Controls 


55 



2.11.1 Flap Control 

2.12.2 Throttle Quadrant 

2.11.3 Go Around Switch 

2.11.4 Trim Switch 

2.11.5 Autopilot Disengage Switch 

2.11.6 Control Wheel Steering Switch 

3. IDCC Functions and Pages 

3.1 Initialization 

3.2 Weight and Balance 

3.3 NAVAID Data and Storage 

3.4 Waypoint Data 

3.5 Flight Status 

3.6 Take Off and Cruise Performance 

3.7 Check Lists 

3 . 8 Emergency Procedures 

4. EHSI Functions and Features 

4.1 Heading Indication 8s Heading Select 

4.2 Display Format 

4.2.1 RNAV linked 

4.2.2 RNAV unlinked 

4.2.3 VOR 

4.2.4 ILS 

4.3 Vertical Track Angle and VNAV 

4.4 Waypoint Bearing Indicator 


56 



4.5 Miscellaneous Indications 
MDA or DH 

Waypoint in use and available 
Course 

Distance to Waypoint 
Time to Waypoint 
Waypoint Altitude 
Radios in use 


4.6 

Heading/North Up 

4.7 

Map Scales 

Navigation Features 

5.1 

Map Review 

5.2 

Map Slew 

5.3 

Map Return 

5.4 

Use Button 

5.5 

Course Select 

5.6 

Auto Sequence 

5.7 

Horizontal Direct 

5.8 

VNAV 

5.9 

Waypoint Generate 

5.10 

Delete Waypoint 

5.11 

Insert Waypoint 

5.12 

Cursor Use 


57 



6. Attitude Director Indicator 

6.1 Horizon 

6.2 Command Bars 

6.3 Localizer Deviation 

6.4 Glide Slope Deviation 

6.5 VNAV Deviation 

6.6 MDA and DH Indicators 

7. Autopilot Mode Select Panel 

7 . 1 Yaw Damper 

7.2 Flight Director 

7.3 Autopilot 

7.4 Altitude Arm, Hold and Trim 

7 . 5 VNAV 

7.6 Heading Select 

7 . 7 Approach 

7.8 Navigation 

2. 3. 4. 2 Evaluation Scenario. Minneapolis Area — The evaluation 
scenario was planned for approximately 15 to 20 minutes of flight 
starting with a takeoff from the Minneapolis, St. Paul Inter- 
national Airport as waypoint 1; hence to waypoint 2, STILS inter- 
section; hence to waypoint 3, RENEW intersection; hence to way- 
point 4, BONNA Initial Approach Fix for an RNAV approach to Rwy 
29 Right , with waypoint 5 the missed approach point located at 
the landing end of Rwy 29 Right. Figure 2-17, Minneapolis local 
area victor airway IFR map, describes the flight route. 


58 




( mS^AOQ 
LAKt:' 


rms- 

lAKK 


’^ORKrS 

LAH£j^ 


UIHH 

«3«r*wiiy ■ 
V:y ITOrth 

9m ^ 


OSCtOtA WIS 
Sin«ftMa4 

m. 


HW \ 
SfAHtMi: \ 

^ L.\KK I 




wkiiT 


Vt'/f/TT 

UL'An 

l^ihK 


MIHNEAPOUSJ 
Ml!TM« i 
Crjittwi. f 
&e9*. I 


tomr 


crt , — 

^ 1 y ;^-;io«ur • .• ^ 


^as* O” 


UKKS 

MLWfTWXKA 


^CA^LtSV 

*Mm«t •'V 

[tnnA«po3;i«> 3 

St p«4 ^ 


V4CCY * 
m AF \ 


fr/^m 

NAiCO 

2UMS 


YttCt 


nrit 


7*<wYwTor 
115.7 FCT 


HyuFsHr 

ftfsyHVfUM 


MINNtA^OlfS 

■ 7A<«IN0T0M> 

m.f 


'X 

* NtAfH 


F9AGI 


'4cl«ton: 

•320 


CAHfA 


rnsT 


Figure 2-17. 


Evaluation Scenario Chart 
(Minneapolis Local Victor Airway Chart) 


59 


The flight time of 15 to 20 minutes was of sufficient duration to 
permit the exercising of the DAAS functions. Preparation for the 
flight, the entry of data via keyboard into the IDCC such as take- 
off performance calculations, weight and balance etc., took an 
additional 15 to 20 minutes. Thus, the evaluation pilot was in 
the simulator seat for about 40 minutes, which was not long 
enough for either fatigue or boredom to enter the evaluation 
equat ion . 

The NAVAID Data entered into DAAS is described in Table 2-1 and 
consists of the VOR/DME stations used for waypoint definition. 
Table 2-2 lists the waypoints and describes the vertical naviga- 
tion profile. Figure 2-18 is the RNAV approach chart for Minne- 
apolis, St. Paul, International Airport Rwy 29 Right. 

The following is a description of the scenario in the order of 
actual events: 

1. Review flight plan as shown in Figure 2-17. 

2. Power-up system - IDCC INIT PAGE appears. Pilot enters 
Zulu time (GMT). 

3. Press MENU button and select touchpoint WEIGHT & BALANCE 

4. WEIGHT Sc BALANCE, Pages 2 through 3 - Enter passenger, 
cargo and fuel weight as appropriate. Review results on 
page 3 to see that the calculated CG is between the forward 
and aft limits and that the maximum takeoff weight is not 
exceeded. Transfer results to INIT page. 

5. Press MENU button and select touchpoint TAKEOFF PERFORMANCE. 


60 



Table 2-1. NAVAID Data for Evaluation Scenario 


NAVAID 
No • 

Frequency 

I.D. 

Elevation 

Latitude 

Longitude 

Variation 

1 

MSP 117.3 

880 

N4508.7 

W09322 . 4 

6E 

2 

FGT 115.7 

930 

N4437 . 9 

W09310.9 

6E 

3 



N 

W 


4 



N 

W 


5 



N 

W 


6 



N 

W 


7 



N 

W 


8 



N 

W 


9 



N 

w 


0 



N 

w 



61 
















Table 2-2. Waypoint Data for Evaluation Scenario 


DAAS Waypoint Data Sheet 

WP 

NAVAID 
No. ID 

Frequency 

Elevation 

(Ft) 

CRSl 

(Deg) 

CRS2 

(Deg) 

Radial 

(Deg) 

Distance 

(NM) 

Altitude 

(Ft) 

Offset 

(NM) 

RNAV/VOR/ILS 

MDA 

1 

1 

MSP 





151.0 

17.1 





2 

1 

MSP 





094 

28.0 

3000 

4.0 









. 







«J 











4 

2 

FGT * 

^ 




035 

13.0 

4000 




5 

2 

FGT 

X 





352 

15.0 

^1400 



1400 

7 



Missed Approach Point 
(MAP) 

) 



MDA*^ 

T 




3 













9 













0 














62 

























UtU' 



3 MINNEAPOUS, MINN. 

MINNEAPOLIS -ST. PAUL INT'L 

RNAV Rwy 29R 

. . . . vo« 115.7 FGT i- 

' - “ 0»M VOKAC 

» Apt^ 341 


IOS*(^MINN£APOUS VOff ' 

Mf "i. 0 t 7 TV" 


WHISK INT 


5.0 NM 

from W.'P MAP- 




' w-o*»f 
'fAMlWNGTON^ 

01 15.7 FGT 


JM4 37.» WO»J IM 


4000' 

(iwrj 


•Mssw AmoACMkClimb lo 4000'.:'h«n LEFT turn dlrucf W/P BQNNA and hold. 


STKiUGHt tN tANOINO 


t400fJ7TJ 


1400*7«r;.l 


1400’i55ri.l '/» 


1460'{»i»’.-2 




i:aj 35 


MlffNCAPOUi ApproAcH 'ir ^ f.rtt 49th chw«f4># fr«q* 


■' '"f--:- i,/ 

Cr«u«i4 121»9 



Figure 2-18 . 


Minneapolis-St . Paul International 
RNAV Rwy 29 Right 


63 






6. TAKEOFF PERFORMANCE - Enter all appropriate data for take- 
off. Review results of computation on page 2. 

7. Press MENU button and select touchpoint CRUISE PERFORMANCE 

8. CRUISE PERFORMANCE - Enter appropriate data for cruise. 

9. Press NAVAID DATA button - enter VOR/DME data for appropri- 
ate NAVAID stations required to define waypoints for flight 
planned. See Table 2-1 for NAVAID data entry. Press 
NAVAID SUM button to review the data entered. 

10 Press WAYPOINT DATA button - enter waypoints that define 
intended flight. Review data entered by flipping through 
waypoint pages 1 through 5. See Table 2-2 for waypoint 
(WP) data for evaluation scenario. 

11. Using Electronic Map Slew lever and appropriate map scales, 
review the entire flight. 

12. Prepare for takeoff using IDCC checklists. 

13. Takeoff; engage auto pilot after airborne; climb to 400 
feet; use heading select to turn for an intercept with 
course 1 of WP2; activate autopilot NAV ARM; and as air- 
craft couples and settles down on course 1, select auto- 
pilot VNAV. Press AUTO SEQ button for course 1 to switch 
automatically to course 2. 

14. Halfway to WPS, make WPS active by selecting WPS data page and 
pressing USE button. 

15. Press FLIGHT STATUS button for true airspeed, ground speed, 
wind, ETA, and fuel available. 


64 



16. Halfway to WP4, make WP4 active by selecting TO4 data page and 
pressing USE button. 

17. Waypoint 4 is BONNA, the initial approach fix (lAF) for 
approach to Rwy 29 Right. At 3 miles from WP4, slow aircraft 
to 120 kts and review landing checklist. See Figure 2-17, 

RNAV Approach Chart Minneapolis Rwy 29 Right . 

18. Over WP4, extend landing gear and flaps. 

19. Select WPS data page (MAP) and press USE button. 

20. Monitor indicated airspeed to 100 kt and glide slope to 
about 3 degrees on the EHSI Vertical Track Angle indicator. 

21. At the minimum descent altitude CMDA) the aircraft goes to 
altitude hold and passes over WPS MAP. End of evaluation 
scenario . 

2. 3. 4. 3 Post-Scenario Questionnaire — A post-scenario question- 
naire was developed to provide quantitative assessment of pilot 
response to the human factors characteristics of the DAAS simula- 
tion scenario exercise. Rating scales were used to assess re- 
sponses to overall system operation, as well as specific charac- 
teristics of the IDCC and EHSI keyboards and displays. The 
questionnaire addressed each of the following areas: 

• Overall System Operation 

- Workload assessment 

- Adequacy of information provided 

- Relevancy of Information provided 

- Time assessment 

- Potential training requirements 


65 



• Time 

• Method (simulator versus isolated CRT displays) 

• IDCC Keyboard and Display 

- Ease of data entry 

• Time required 

• Keyboard location 

• Keyboard format 

- Adequacy of information displayed 

• Major functions/menu selections 

• Feedback for error corrections 

• EHSI Keyboard and Display 

- Ease of data entry 

• Waypoint insertion 

• Keyboard location 

- Adequacy of information displayed 

• General Comments 

The post-scenario questionnaire was given to each pilot immedi- 
ately following the simulation exercise. Administration of the 
questionnaire was informal, and verbal comments from the pilot 
elaborating on their responses to each item were encouraged. 

Thus, the questionnaire also served as a point of departure for 
the debriefing discussions which followed. 

2. 3.4.4 Debriefing — Debriefing involved informal ongoing dis- 
cussion with one or more of the pilots present at any given time. 
Thus, pilots were able to discuss the simulation from several 


66 



viewpoints. The result was an indepth analysis of both the func- 
tional characteristics of DAAS and its general acceptability as a 
future on-board system. 

2.4 FAILURE MODE AND EFFECTS ANALYSIS (FMEA) 

The intention of this FMEA is to analyze the effects of failed 
DAAS elements, the probability of the failures, and how the pilot 
workload and the flight safety situation are affected by the fail- 
ures. The importance of the safety pilot is discussed. DAAS 
compatibility to FAR Parts 23 and 91 is also assessed. 

Assessment of DAAS compliance with FAR requirements, and analysis 
of failure effects in general can be summarized as follows: 

• Failure Effects with Respect to FAR Requirements 

- Of the 86 DAAS elements analyzed, FAR Parts 23 and 91 
VFR and IFR CAT 1 requirements are applicable to 36. 

There are no conflicts for fault-free DAAS. 

- 25 DAAS elements may fail without violating any FAR 
requirements . 

- 11 failed elements violate FAR 23. 1329. e for the initial 
DAAS design. These 11 failures violate FAR 23.1329e 
which says : 

"Each system must be designed so that a single mal- 
function will not produce a hardover signal in more 
than one control axis." 


67 



Recommendat ion — The FAR 23. 1329. e conflict was resolved by 
introducing 3 hardware limiters located down stream of the 
pitch, roll, and yaw D/A converters. These limiters will 
prohibit any DAAS computer failure from commanding the 
servos hardover. 


• Failure Effects, General — The 86 DAAS elements were split 
into the 4 failure categories ; 


22 Elements - Category 1, Failure Effects 

36 Elements - Category 2, Failure Effects 

26 Elements - Category 3, Failure Effects 

2 Elements - Category 4, Failure Effects 


Negligible 

Inconvenient 

Demanding 

Critical 


The two critical failures are Aircraft 28-Vdc and Avionics 
28-Vdc bus. The category 4 failure probability is very low, 
less than 10” for a 4-hour flight. 

Recommendations 


1. The DAAS failure effects are not critical with the 
exception of the Aircraft and Avionics 28-Vdc bus 
failure. The probability of these failures happening 
is low enough to make them negligible. No action 
required. 

2. Flight safety is dependent on the safety copilot. He 
should closely monitor the DAAS performance, especially 
at low altitude, take-off, and landing conditions. 


68 



Following are the details of the analysis including description 
of the DAAS system analyzed, assessment of DAAS compliance with 
FAR requirements, and description of the FMEA results. 


2.4.1 DAAS System Description 

The present DAAS is defined in the following documents: 

1. Demonstration Advanced Avionics System (DAAS) Functional 
Description by Honeywell Inc. and King Radio for Ames Research 
Center, NASA. 

2. DAAS System Specification (YG1210) January, 82, Honeywell 
Specification DS28150-01. 

3. Software Development Specification for YG1210 NASA DAAS, 
Honeywell Specification DS28152-01. 

4. Miscellaneous diagrams and papers describing the Cessna 
402B cockpit and servos . 


2.4.2 Assessment of Compliance With FAR Requirements 

FAR Parts 23 and 91 are applicable to DAAS. The applicable FAR 
paragraphs are restated below and comments given as to how they 
are met by DAAS. 

2 . 4 . 2 . 1 FAR Part 23 Equipment , Systems and Installations — The 
DAAS, when installed in the aircraft, must meet the following re- 
stated FAR Part 23 requirement: 


69 



Requirement, 23.1309 


(a) Each item of equipment, when performing its intended func- 
tion, may not adversely affect: 

(1) The response, operation, or accuracy of any equipment 
essential to safe operation; or 

(2) The response, operation, or accuracy of any other 
equipment unless there is a means to inform the pilot 
of the effect. 

(b) The equipment, systems, and installations of a multiengine 
airplane must be designed to prevent hazards to the airplane 
in the event of a probable malfunction or failure. 

(c) The equipment, systems, and installations of a single-engine 
airplane must be designed to minimize hazards to the air- 
plane in the event of a probable malfunction or failure. 

Comment : 

The DAAS development program should eliminate adverse affects 
specified in item a. Tests in simulators, qualifications tests, 
and checkout in the aircraft shall verify that no undesired 
interaction exists. 

The DAAS design and included limiters, monitors, warnings, etc., 
satisfy the item b or c requirements. 

2.4.2. 2 FAR Part 23 , Requirements of the Autopilot — The Auto- 
pilot (sensors, computer, servos) must meet the FAR Part 23.1329 
requirement as follows ; 


70 



Requlremeat , 23.1329 a to g 


(a) Each system must be designed so that the automatic pilot can 


(1) Be quickly and positively disengaged by the pilots to 
prevent it from interfering with their control of the 
airplane; or 

(2) Be sufficiently overpowered by one pilot to let him 
control the airplane. 


b, c, g requires a certain cockpit design in order to eliminate 
pilot confusion and simplify use of the autopilot. 

a,d,e,f requires a certain system design to minimize the impact 
of autopilot malfunction. 


Comment : 


The autopilot dump switches (control wheel, N -accelerometer ) and 
the slip clutch included in the elevator, aileron, and rudder 
servos provide the required protection. 


The slip clutches are designed to prevent excessive accelerations 
Requirement 23.1329 b 

(b) Unless there is automatic synchronization, each system must 
have a means to readily indicate to the pilot the alignment 
of the actuating device in relation to the control system it 
operates . 


71 



Comment : 


The position of the control wheel, pedals and the trim indicators 
indicate the alignment. 

Requirement 23 . 1329 c 

(c) Each manually operated control for the system operation must 
be readily accessible to the pilot. Each control must oper- 
ate in the same plane and sense of motion as specified in 
23.779 for cockpit controls. The direction of motion must 
be plainly indicated on or near each control. 

Comment : 

DAAS panel layout agrees with the FAR requirements. 

Requirement 23.1329 d 

(d) Each system must be designed and adjusted so that, within 
the range of adjustment available to the pilot , it cannot 
produce hazardous loads on the airplane or create hazard- 
ous deviations in the flight path, under any flight condi- 
tion appropriate to its use, either during normal operation 
or in the event of a malfunction, assuming that corrective 
action begins within a reasonable period of time. 

Comment : 

Met by 

1. Software limiters, 3-axis 

2. Software "faders" in pitch and roll 


72 



3. Slip clutches 

4. Pitch trim monitor 

5. The Nz> "IG-Dump accelerometer”. 

Requirement 23.1329 e 

(e) Each system must be designed so that a single malfunction 
will not produce a hardover signal in more than one control 
axis’. If the automatic pilot integrates signals from axixil 
iary controls or furnished signals for operation of other 
equipment, positive interlocks and sequencing of engagement 
to prevent improper operation are required. 

Comment : 

This requirement can be met by implementation of hardware servo 
command limiters. (Note: Limiters have been added to flight 

system. ) 

Requirement 23.1329 f 

(f) There must be protection against adverse interaction of 
integrated components, resulting from a malfunction. 

Comment : 

Met by 

1 . Buffers eliminating part damage. 

2. Limiters and monitors eliminating excessive commands. 


73 



Requirement 23.1329 g 


(g) If the automatic pilot system can be coupled to airborne 

navigation equipment, means must be provided to indicate to 
the flight crew the current mode of operation. Selector 
switch position is not acceptable as a means of indication. 

Comment : 

The annunciator panel provides the requested information. 

2.4.2. 3 FAR Part 91 , Instruments , and Equipment Requirements — 
FAR Part 91.33, a to e, specifies instrument and equipment re- 
quired for powered civil aircraft with U.S. air worthiness cer- 
tificates as follows; 


(a) 

General 



(b) 

VFR flight. 

day 


(c) 

VFR flight. 

night 


(d) 

IFR flight. 

category 

I 

(e) 

IFR flight. 

category 

above 24,000 feet 

(f) 

IFR flight. 

category 

II 


IFR category II is not applicable to DAAS. 
The requirements are summarized as follows. 
Requirement 91.33b 


(b) Instruments required for VFR Flying, Day 
(1) Airspeed indicator. 


74 


Altimeter. 


( 2 ) 

(3) Magnetic direction indicator. 

(4) Tachometer for each engine. 

(5) Oil pressure gauge for each engine using pressure 
system. 

(6) Temperature gauge for each liquid-cooled engine. 

(7) Oil temperature gauge for each air-cooled engine. 

(8) Manifold pressure gauge for each engine. 

(9) Fuel gauge indicating the quantity of fuel in each tank. 

(10) Landing gear position indicator, if the aircraft has a 
retractable landing gear. 

Comment — The DAAS instrumentation includes the basic instruments 
required for VFR flight during daytime. 

Requirement 91.33c 

(c) For VFR night flights additional lights and an anticollision 
light system are required. 

Comment — The DAAS aircraft is properly equipped in this respect. 


Requirement 91.33d 

(d) For IFR flight the following instruments and equipment are 
required : 


75 



(1) Instruments and equipment specified in paragraph (b) 
of this section and for night flight, instruments and 
equipment specified in paragraph (c) of this section. 

(2) Two-way radio communications system and navigational 
equipment appropriate to the ground facilities to be 
used. 

(3) Gyroscopic rate-or-turn indicator. 

(4) Slip-skid indicator. 

(5) Sensitive altimeter adjustable for barometric pressure. 

(6) A clock displaying hours, minutes, and seconds with a 
sweep-second pointer or digital presentation.. 

(7) Generator of adequate capabity. 

(8) Gyroscopic bank and pitch indicator (artificial horizon 

(9) Gyroscopic direction indicator (directional gyro or 
equivalent ) . 

Comment — The above listed instrumentation are included in DAAS. 

There is no requirement on redundancy stated in this paragraph. 

Requirement 91.33e 


(e) IFR flight at and above 24,000 feet MSL. 

If VOR navigational equipment is required under paragraph 
(d) (2) of this section, no person may operate a U.S. regis- 
tered civil aircraft within the 50 states, and the District 
of Columbia, at or above 24,000 feet MSL unless that air- 
craft is equipped with approved distance measuring equipment 


76 



(DME). When DME required by this paragraph fails at and 
above 24,000 feet MSL, the pilot in command of the aircraft 
shall notify ATC immediately, and may then continue opera- 
tions at and above 24,000 feet MSL to the next airport of 
intended landing at which repairs or replacement of the 
equipment can be made. 

2.4.3 DAAS Failure Modes and Effects Analysis Results 

The DAAS FMEA was conducted to determine effects of failures in 
the DAAS hardware. Assumptions for the analysis were as follows: 

• DAAS is designed for category I IFR operation 

« All single failures and dual failures with high failure 
rates are studied. 

• Any failure in any element is assumed to result in a lost 
function of that element, which makes this a " worst case " 
analysis . 

• The autopilot slip-clutches, the pilot (and N ) dump 

z 

switches, and the pilot and copilot override possibilities 
provide the pilots adequate means to safely handle any 
single control axis hardover servo failure. 

Q 

• The probability of a critical situation less than 10~ in a 
4-hour flight is judged to be negligible. 

• Preflight test and inflight bit are performed. Autopilot 
dump switching, normal acceleration dump switch, and servo 
clutch switches must be checked. 


77 



The preflight test coverage will be less than 100 percent 
due to nontestable elements. Expected fault detection 


coverage is : 

Sensors 70-80% 
Computers 90-95% 
Indicators and Servos 80-90% 
Monitors, Diunp Switches, Clutches 100% 


Some takeoffs may take place with faulty system elements due 
to less than 100 percent preflight test coverage. 

• Effective DAAS software validation will be performed. 

• The four Failure Categories are: 

1. Negligible to the pilot 

2. Inconvenient to the pilot 

3. Demanding to the pilot 

4. Critical, evident risk for catastrophe 

Fault categorization assumes a single pilot. In the conclu- 
sions, judgments are given on how the safety pilot improves 
the DAAS flight-safety situation and how failure probabili- 
ties affects the DAAS flight safety situation. 

• FAR Part 23 and 91 requirements are assumed to define a mini- 
mum avionics system, which is normally safe to fly. 

9 DAAS failure rates used in the FMEA are as listed in Table 
2-3. The failure rate is the probability of a failure in a 
DAAS element during 1 hour flight . 


78 



Table 2-3. DAAS Elements Failure Rates 


Elements 

Type 

No. 

Quantity 

n 

Failure 

Rates 

Total 

Rates 

Comments 

1. OAAS Elements 

Hardwired to DAAS-Computers 



EEPROM Memory 


1 

500 

500 

Failure rates not available 

CPU St RAM/PROM 

8086 

7 

60 

420 

(20 and S0%) 

Radio Adapt . Box 

(8748) 

1 

40 

40 


BIM 

(9914) 

8 

12 

96 


488-Bus 


1 

1 

1 

Incl. 2 Connectors 

A/D, D/A, Mux 


1 

60 

60 


EHSI 


1 

300 

300 


IDCC 


1 

300 

300 


IDCC Keyboard 


1 

50 

50 


ADI 

EC1310 

1 

340 

340 


RMI 

KZ226 

1 

330 

330 


CX-Sens. St Indie. 


1 

100 

100 


Pitot System L 


1 

50 

50 

Not electrically hardwired! 

Encod. Altlm. 

-571 

1 

200 

200 


Audio Cont . Panel 

KMA 24 

1 

200 

200 


Comm. Trancelvers 

KY196 

2 

330 

660 


VOR Receivers 

KN53 

2 

250 

500 


DME Receivers 

KN62A 

1 

500 

500 


Transponder 

KT76A 

1 

400 

400 


Mode Controller 

KMC- 340 

1 

340 

340 


Annunciator Panel 

KAP-315 

1 

30 

30 


MAG X MTR 

KMT112 

1 

20 

20 


Directional Gyro 

KSG105 

1 

330 

330 


Slave Control 

KA-51A 

1 

10 

10 


Vertical GYRO 

VG 208 

1 

330 

330 


Radar -Altimeter 

RT-271 

1 

500 

500 


ADC 

KDC-380 

1 

200 

200 


True Air Speed 

VA 210 

1 

100 

100 

Incl. F/V Converter 

Outer Air Temp. 


1 

10 

10 

Incl. Sign. Conditioning 

Yaw Rate GYRO 

GG 2472 

1 

50 

50 


Engine Map 


2 

5 

10 


Engine RPM 


2 

10 

20 

Incl. F/V Converter 

Engine Fuel Flow 


2 

5 

10 


Cowl Flap Pos. 


2 

5 

10 


Flap Pos. 


1 

20 

20 


Elev. Trim Pos. 


1 

20 

20 


Yaw Servo 


1 

70 

70 

Incl. Clutch St Amplif. 


79 











Table 2-3. DAAS Elements Failure Rates (2 of 2) 


Elements 

Type 

No. 


Quantity 

n 

Failure 

Rates 

Total 

Rates 

Comments 

Roll Servo 



1 

70 

70 

Incl. Clutch St Amplif. 

Pitch Servo 



1 

70 

70 

Incl. Clutch St Amplif. 

Pitch Trim Servo 



1 

50 

50 

Incl. Clutch St Amplif. 

2. DAAS Instrumentation not 

Hardwired to DAAS Computers 

IAS 



1 

280 

280 

Pitot System L. 

VS I 



1 

100 

100 

Pitot System L. 

Turn St Bank 



1 

150 

150 


Fuel Quantity 



1 

150 

150 


Map 



1 

10 

10 


RPM 



1 

10 

10 


Fuel Flow 



1 

10 

10 


EOT 



1 

10 

10 


Engine Status 



2 

20 

40 


3. Co-Pilot Back U 

p Instrume 

n 

tation 




Pitot System R 


1 

50 

50 


IAS 


1 

280 

280 


Altimeter 


1 

180 

180 


VS I 


1 

100 

100 


Turn St Bank 


1 

150 

150 


Artific. Horizon 

KG258 

1 

670 

670 


PNI 

KC525A 

1 

330 

330 


Slave CTRL 

KA-51A 

1 

10 

10 


Direct . GYRO 

KG102-A 

1 

400 

400 


MAG X MTR 

KMT112A 

1 

20 

20 


Comm. Tranceiver 

422A 

1 

660 

660 


VOR/GS, Receiver 

442A/443A 

1 

500 

500 

Incl. Nav. Converter 

4. Electrical Powe 

r System 





A/C 28VDC Bus 


1 

<. 1 

< . 1 

Redundant Alternators 
pilot disconnect faulty 

Avionics 28VDC Bus 


1 

<.l 

<.l 

battery ! ! 

DAAS A 28VDC Bus 


1 

-.1 

-.1 

Valid as long as DAAS 

DAAS B 28VDC Bus 


1 

-.1 

-.1 

Battery Lasts (-1 hr.) 

DAAS Battery Chrgr 


1 

5 

5 


DAAS Battery 


1 

100 

100 


DC/ AC Invertor 


1 

10 

10 


DC/DC Converter 


2 

15 

30 



80 










For the failure probability estimates, 4 hours flight time 
are assumed. 

The failure rates in Table 2-3 are collected from adjusted 
MIL-HDB-217B data, vendors reliability data, Hone 3 rwell pre- 
dicted failure rates and by comparison to known similarly 
complex elements. 

The failure rates should be representative of components and 
parts available in 1979/80. 

FMEA results are compiled in Appendix A. The DAAS elements are 
defined on these forms and the type of failure and the failure- 
rates are also listed. The impact of a faulty element on down- 
stream DAAS elements is also indicated. 

Finally, a judgment is made as to how the failed element will in- 
crease the pilot effort required to complete his flight. The 
failures are divided into the four categories on the basis of 
this judgment. 

The DAAS failure category is assigned assuming a co-ilot in the 
right seat . 

Appendix A also indicates whether: 

• FAR requirement are applicable and met . 

• Failure probabilities are significant to the risk situation. 

• DAAS would be safe to fly with the analyzed element faulty. 


81 



The FI»1EA covers the consequences of 86 failed DAAS elements. 

Table 2-4 summarizes failure categories and indicates whether 
applicable FAR requirements are met. Comments on redundancy, 
failure probability, etc. , are given for some failed elements. 

These FMEA results indicate that fault-free DAAS meets the FAR 
Part 23 and 91 requirements. DAAS does provide the required 
means for override and disengage after a failure. 

FAR requirements may more or less be violated if DAAS elements 
fail. Of the 86 failed DAAS elements studied, FAR VFR or IFR Cat 
I requirements apply to 36. For these 36 failed elements, 11 
violate the FAR requirements. FAR requirements that apply to 
general VFR flight, and 6 of these are not met. 13 requirements 
applying to IFR Cat I, 5 are not met. 16 requirements apply to 
IFR Cat II; DAAS is not certified for Category II. 

The violated paragraph is 23.1329(e) which says; 

"Each system must be designed so that a single malfunction 
will not produce a hardover signal in more than one control 
axis." 

Violation in the initial design occur for failure in: 

0 A/P, NAV, Bus Controller, Processors 
0 488-Bus 


82 




Table 2-4. Summary of the DAAS Failure Modes and 
Effects Analysis 


— 

Failure 

No. 

Element 

Far Req. 
Met 

Failure 

Category 

Comments 


1 

Encod. Altimeter 

OK Cat 

1 

3 

Misleads ATC 
Proximity W-Error 

. — 

2 

Altimeter Co-Pilot 

OK Cat 

2 

2 



3 

Radar Altimeter 

OK 


2 



4 

TAS 

N/A 


2 


’ 

5 

IAS Pilot 

OK Cat 

1 

2 



6 

IAS Co-Pilot 

OK Cat 

2 

1 



7 

ADC (380) 

N/A 


2 

Min. Alt. for ALT HOLD 
Recommended 


8 

Pitot System L 

OK Cat 

1 

3 



9 

Pitot System R 

OK Cat 

2 

1 



10 

Oat 

N/A 


2 



11 

Pilot Mag. XTMR 

OK Cat 

1 

3 


— 

12 

Pilot Slave Indie. 

N/A 


1 



13 

Pilot Direct GYRO 

OK Cat 

1 

3 



14 

Pilot RMI 

OK Cat 

1 

2 


• — 

15 

Co-Pilot Mag. XTMR 

OK Cat 

2 

1 



16 

Co-Pilot Slave Indie 

N/A 


1 



17 

Co-Pilot Direct GYRO 

OK Cat 

2 

1 



18 

Co-Pilot PNI 

OK Cat 

2 

1 



19 

Pilot Turn St Slip 

OK Cat 

2 

1 



20 

Co-Pilot Turn 8t Slip 

OK Cat 

2 

1 



21 

Yaw Rate GYRO 

N/A 


2 



22 

X-Sensor 8: Indicator 

N/A 


2 



23 

Pilot Vertical-GYRO 

OK Cat 

1 

2 



24 

Pilot ADI 

OK Cat 

1 

2 


— . 

25 

Co-Pilot Art if. Horiz. 

OK Cat 

2 

1 



26 

Map Instrument 

OK Cat 

2 

2 



27 

RPM Instrument 

OK Cat 

2 

2 



28 

EGT Instrument 

N/A 


2 



29 

Eng. Status 1 

OK Cat 

2 

3 

Pilot Action 


30 

Eng. Status 2 

OK Cat 

2 

3 

As If Engine Failure 


31 

Fuel Flow Sens. 1 

N/A 


2 



32 

Fuel Flow Sens. 2 

N/A 


2 



83 

















Table 2-4. Summary of the DAAS Failure Modes and 
Effects Analysis (Sheet 2 of 3) 


Failure 

No. 

Element 

Far Req. 
Met 

33 


Fuel Quantity 

OK Cat 

2 

34 


DAAS Map Sensor 

N/A 


35 


DAAS RPM Sensor 

N/A 


36 


Wing Flp. Pos. Sens. 

N/A 


37 


Elev. Trim Pos. Sens. 

OK 


38 


Cowl Flps. Pos. Sens. 

N/A 


39 


LDG Gear Pos. Sens. 

N/A 


40 


Door Pos. Sens. 

N/A 


41 


Aux. Fuel Pump Sw. 

N/A 


42 


Cws-Switch St Logic 

OK 


43 


Go- Around Switch 

N/A 


44 


Pitch Trim Switch 

N/A 


45 


Pitch Trim Button 

N/A 


46 


A/P Dump Sw. St Relay 

OK 


47 

a 

Co-Pilot Comm. 
Transievers, Antennas 

OK 



b 

Co-Pilot Comm. 
Transievers, Antennas 

OK 


48 

a 

Pilot Nav. 

Receiver + Antennas 

OK Cat 

2 


b 

Co-Pilot Nav. 
Receiver + Antennas 

OK Cat 

2 

49 


DME Receiv. + Ant. 

OK Cat 

2 

50 


Transponder + Ant . 

N/A 


51 


Audio Headsets 

OK 


52 


Switch Nav 1 Sel. 

N/A 


53 


Switch Nav 2 Sel. 

N/A 


54 


Switch DME Sel. 

N/A 


55 


Switch VOR Sel. 

N/A 


56 


Switch Loc/GS Sel. 

N/A 


57 


IDCC Keyboard 

N/A 


58 


IDCC Selector Switch 

N/A 


59 


IDCC CPU, Display 

N/A 


60 


EHSI Selector Switch 

N/A 



Failure 

Category 

2 
1 
1 
1 
1 
1 
1 
1 
1 
3 
3 
2 
3 
3 


Comments 


Redundant info, available 


A Software Controlled 
CWS Light Recommended 


Runaway Not Monitored 
2 Failures Probab. ~1C 

Duplex Probab. ~10“® 


2 

1 

2 

2 

2 

2 

1 

2 

3 

2 

2 

2 


Single DME 

No Outsignal ATC Problem! 
DAAS Duplex 


Missed Pilot Input Check. 
Low Probability 


84 

















Table 2-4. Siammary of the DAAS Failure Modes and 
Effects Analysis (Sheet 3 of 3) 







Failure 

No. 

Element 

Far Req. 
Met 

Failure 

Category 

Comments 

61 

EHSI CPU, Display 

N/A 

2 


62 

Annunciator Panel 

OK 

2 


63 

Mode Cont. Trim/Hdg. 

OK 

2 


64 

Mode Cont. Toggle Sw. 

OK 

2 


65 

Mode Cont. Solen. Sw. 

OK 

2 


66 

A/P Yaw Clutch, Servo 

OK 

2 


67 

A/P Roll Clutch Servo 

OK 

3 

' 

68 

A/P Pitch Clut. Servo 

OK 

3 


69 

A/P Pitch Trim Servo 

OK 

3 


70 

Clutches Common Logic 

OK 

3 


71 

A/P-I/0 CPU, BIM 

NOT OK 


Fault During Critical 

A/P-I/0 A/D, D/A, MUX 


Fault Phases 

72 

NAV/FLT PLN CPU, BIM 

NOT OK 

2 

Probab. No Recon. 30»10~® 





Probab. Recon. 6*10 ® 

73 

Spare CPU, BIM 

N/A 

2 

Probab. <10“® 

74 

Radio Adapter Box 
and BIM 

N/A 

3 

Critical Fault Phase 

75 

Dabs Transponder 
CPU + BIM 

N/A 

1 

ATC Problem 

76 

BUS. Controller 
CPU, BIM 

NOT OK 

3 

Uncertain Warn. 

77 

488 Bus 

NOT OK 

3 

Critical Fault Phase 

78 

EEPROM Memory 

NOT OK 

3 

Probab. <10“® (Estimated) 

79 

Cassette 

NOT OK 

3 

Efficient Bite Probab. <<10~® 

80 

A/C Main 28 VDC Bus 

OK 1) 

4 

Probab. <10~^ 

81 

Avionics 28VDC Bus 

OK 

4 

Probab. <10~^ 

82 

DAAS A-B 2 8 VDC Bus. 

NOT OK 

3 

Probab. <10~^ 

83 

DAAS AC Buses 

NOT OK 

3 

Probab. -10~® 

84 

DAAS 15V DC Bus 

NOT OK 

3 

Probab. -10”^ 

85 

DAAS 12 DC Bus 

NOT OK 

3 

Probab. <<10~® 

86 

DAAS 5 DC Bus 

NOT OK 

3 

Probab. -10~* 

1) CESSNA 402B electrical powe 

r system with DAAS i 

nstalled 

assumed to meet applicable 

Far requirements. 



85 











• EEPROM Memory and Cassette 

• The Electrical Power Buses 

The 23.1329(e) conflict was resolved by introducing three hard- 
ware limiters located immediately downstream of the pitch, roll 
and yaw A/D converters in the DAAS hardware. These limiters 
prohibit any kind of DAAS computer failure from commanding servo 
hardover. The limiters reduce any DAAS computer hardover failures 
to ; 


• Pitch - 60% Full Scale 

• Roll - 30% Full Scale 

• Yaw - 45% Full Scale 

Appendix A contains the complete Failure Modes and effects 
analyses. Eighty-six failures were defined and categorized 
as follows. 

Category 1 - Failures are negligible to the DAAS pilot; e.g., 
copilot instruments, door switches, etc. 

Category 2 - Failures that cause inconvenience to the DAAS pilot ; 

e.g., loss of ADC-380 RMI, a -Sensor, Annunciator 
Panel. 

Category 3 - Failures during busy or critical flight-phases which 
can be demanding to the DAAS pilot; e.g., IDCC key- 
board, engine/status instrument, servos, autopilot 
dump switch, autopilot processor, bus, and electric 
power . 


86 



Category 4 - Failures that may create a critical situation. The 

two DAAS Category 4 failures are loss of the Aircraft 
and Avionics 28-Vdc Bus. The probability of occur- 
rence is very remote. 

Table 2-S summari25es the number of failures that fall within 
these failure categories. 


Table 2-5. Failure Categorization of 
the DAAS Elements 


Nvimber of DAAS 
Elements 

Failure Category 

1 

2 

3 

4 

22 

36 

26 

2 


The DAAS Category 4 failures have a very low probability of 10” . 
They are negligible. 

Autopilot Processor failures are demanding during especially low 

altitude flight phases. The probability of such a failure may be 
-5 

10 for a 4-hour flight. It is vital to the DAAS flight safety 
that the copilot closely monitors the DAAS performance during 
such conditions. 

The DAAS FMEA concludes that , with servo command limiters imple- 
mented as recommended, DAAS. flight safety is adequate for the 
demonstration system. 

The DAAS system meets the objectives of the program as well as 
the necessary safety requirements. The conclusions and recommen- 
dations pertaining to the DAAS system are presented in Section 6 


87 




report. The DAAS design and analysis served as a baseline for 
the Projected Advanced Avionics System (PAAS), which is discussed 
in the following section. 



SECTION 3 

PROJECTED ADVANCED AVIONICS SYSTEM (PAAS) 


PAAS is a projected operational version of DAAS. It extrapolates 
the DAAS concept of fault tolerant integrated avionics to a sys- 
tem that could be produced in the mid-1980s. PAAS is designed to 
have super functional reliability. The Autopilot /Navigation mean 
time between loss of function is on the order of 10,000 hours. 
PAAS can thus provide the dependable pilot relief that is essen- 
tial for effective flight management by using the expanded func- 
tional capabilities provided. 

Following is a description of PAAS and an analysis of its reli- 
ability, cost, maintainability, and modularity. 


3.1 PAAS SYSTEM DESCRIPTION 

The PAAS system, Figure 3-1, extrapolates the DAAS concept to a 
mid-1980s projected operational avionics configuration. PAAS 
architecture is similar to DAAS; i.e., it is a reconf igurable 
multiprocessor configuration. PAAS extends the DAAS spare pro- 
cessor redundancy concept to cover all essential avionics pro- 
cessors. PAAS employs a fault tolerant sensor configuration, 
dual redundant data busses, and dual autopilot servos. Redun- 
dancy in sensors, data bus, and servos — in addition to fault 
tolerant processing — is required to cause significant impact 
to the avionics functional reliability. 

PAAS is designed as a minimum cost system that will allow con- 
tinued operation of essential avionics functions after any single 


89 




Figure 3-1, PAAS System Architecture 




















failure. Functional reliability of navigation and autopilot are 
emphasized. The PAAS design provides approximately 10,000 flight 
hours of operation between loss of these functions, as compared 
to 200 hours for current systems. 'PAAS includes extensive built- 
in test for high confidence fault detection (and annunciation) 
and fault isolation for efficient maintenance. 

Following is a description of the PAAS fault tolerant implementa- 
tion of sensors, data bus, computer, displays, servos, power 
supplies, and the redundancy management techniques envisioned for 
the system. 

3.1.1 PAAS Sensor Configuration 

PAAS sensors required for navigation and autopilot functions are 
redundant for fault tolerance. Four skewed laser gyros, and four 
skewed accelerometers are proposed for the projected strap-down 
attitude heading reference system (AHRS). Dual static and differ' 
ential pressure transducers are proposed for air data sensing. 
Dual VOR receivers and single DME are included for NAV inputs. 
Fuel sensors, engine sensors and configuration monitoring sensors 
are nonredundant . 

Following are details on the unique PAAS AHRS and air data sensor 
mechanization . 

3. 1.1.1 PAAS AHRS Mechanization — The AHRS employs strap-down 
skewed laser gyros and skewed accelerometers for fault tolerant 
attitude and rate sensing. 

The laser gyro is a solid-state, precision angular rate sensor 
with a direct digital output. The laser gyro is ideally suited 


91 



for strap-down system configurations because it eliminates the 
need for gimbals, torque motors or other rotating parts. Instead 
of the rotating mass of a conventional mechanical gyro, the ring 
laser gyro utilizes two beams of laser light counter-rotating in 
a closed path. Laser gyro based inertial navigation and inertial 
reference systems are inherently more reliable and easy to main- 
tain, and they provide the additional benefits of instant on, in- 
sensitivity to acceleration error sources, and low life cycle cost. 

Four gyros and four accelerometers are employed in a skewed con- 
figuration, as shown in Figure 3-2. 

Aircraft body rates (and accelerations) are derived from the sen- 
sor tetrad as indicated. The three body axis rate components 
(and accelerations) can be computed from the sensor signals even 
if one sensor has failed. Fault tolerance is thus provided for 
the three body rates (and accelerations) with only one added 
sensor. 

A faulty sensor can be detected with high confidence by sensor 
comparison monitoring, and the fault can be isolated to one sen- 
sor either automatically, or by pilot selection should the auto- 
matic selection fail as described in paragraph 3.1.7. 

The sensed aircraft rate and acceleration signals are converted 
to digital form in each of the PAAS dual I/O terminals and trans- 
mitted to the PAAS AHRS processor for attitude/heading computa- 
tions. A flux gate signal is also input for long term heading 
reference. The attitude heading signals are used on the elec- 
tronic attitude indicator in the PAAS autopilot and navigation 
functions. 


92 




A general aviation laser gyro AHRS is not currently available, 
but may become feasible. Honeywell is developing a laser gyro 
inertial reference assembly for the Boeing 767. Others are work- 
ing on low cost laser rate sensors using optical fibers. 

3. 1.1.2 PAAS Air Data Sensors — Dual solid state static and 
differential pressure transducers and dual temperature sensors 
are proposed for PAAS to provide fault tolerant inputs for com- 
putation of altitude, altitude rate, indicated airspeed and true 
airspeed. Honeywell's solid state transducers used in current 
commercial aircraft air data systems are representative of de- 
vices which will likely make the PAAS air data approach feasible 
in general aviation in coming years. 

The Honesrwell pressure sensor converts the applied pressure to a 
usable electrical signal. An N-type silicon diaphragm within the 
sensor contains two P-type resistors diffused in an orthogonal 
pattern on the diaphragm. The orthogonal placement of the resist- 
ors in the diaphragm creates a change in the bulk resistivity of 
the resistors that is a function of diaphragm tangential and 
radial strain. The trangential resistor (R,p) increases resistance 
with strain (applied pressure), while the radial resistor (Rj^) 
exhibits a corresponding decrease with strain. 

The silicon piezoresistors are, therefore, used as strain gage 
elements . 

The resistive elements have nearly identical temperature coeffi- 
cients of resistance, because they are formed at the same time 
during the processing operations and are adjacent to each other. 
This permits temperature-related errors to be largely self-compen- 
sating due to the sensor resistance-bridge circuit mechanization. 


94 



Sensed static pressure, differential pressure and temperature are 
converted to digital form and transmitted to the PAAS ADC proces- 
sor for computation of altitude and airspeed signals for use on 
electronic flight instruments, and in PAAS autopilot and naviga- 
tion functions. 

3.1.2 PAAS Data Bus 

The PAAS data bus is dualized for fault tolerance. One bus con- 
troller is located with each I/O terminal. The two busses oper- 
ate continuously to provide dual redundant inputs to detect (and 
annunciate) faults with high confidence. 

DAAS employs the 16-wire IEEE 488 8-bit parallel data bus. A 
high throughput serial data bus, for which LSIC interface compo- 
nents are available, is proposed for PAAS. The serial bus would 
be preferable to minimize aircraft wiring if the PAAS processors 
are packaged separately. 

PAAS data bus throughput requirements have not been established, 
though PAAS data bus loading is clearly higher than DAAS because 
air data, AHRS data, and weather radar display data are added to 
the bus. 

3.1.3 PAAS Computer Architecture 


The PAAS computer employs the spare processor redundancy concept 
developed for DAAS, but extends back-up capability to all essen- 
tial processors. See Figure 3-1. The PAAS spare can take over 
for any failed processor except the DABS processor, the weather 
radar processor, or the IDCC processor. 


95 



The DABS or weather radar function reliability would not be sig- 
nificantly enhanced by redundant processing because the higher 
failure rate sensors are not redundant. The IDCC back-up is a 
reversion mode on the EHSI display; thus IDCC processor backup 
is not required. 

The PAAS processors receive their inputs, and supply outputs to 
dual I/O terminals via the dual PAAS data busses. 

3.1.4 PAAS Displays 

Proposed PAAS display configuration is illustrated in Figure 3-3. 
Three-color CRTs are included. One display normally presents: 

• Attitude/Director Indicator 

• IAS Indicator 

• Altimeter 

• Vertical Speed Indicator 

• Etc. 

The second panel mounted display is a horizontal situation indi- 
cator similar to the DAAS EHSI. A third display would be mounted 
in the pedestal for use as an IDCC. 

The first display could be periodically switched to present the 
EHSI if the second display failed, and vice versa. The second 
display could also be switched to operate as a primitive NAV 
function IDCC if the primary IDCC failed. 

Multifunction controls are provided for each display. The con- 
trols are relabeled when the display function changes. 


96 







Communication control heads are panel mounted to provide tuning 
capability independent of the PAAS display system. 

3.1.5 PAAS Servo Mechanization 

PAAS servos are dual with clutch arrangements to allow switching 
between servos for continued operation after one servo failure. 
Each servo in a dual pair is driven from one of the dual I/O ter- 
minals. A servo model would be implemented in PAAS software for 
each mechanical servo , and model output would be compared to 
servo output to detect and isolate servo faults. 

3.1.6 PAAS Power Mechanization 

Dual, monitored power supplies are included in PAAS. The power 
references to the essential PAAS components are switched in event 
of a power supply failure. 

3.1.7 PAAS Redundancy Management 

PAAS would include extensive built-in test to detect and isolate 
faults to facilitate automatic reconfiguration. Fault detection 
confidence could exceed 99 percent for dual elements through use 
of simple comparison monitoring. Automatic fault isolation is 
feasible with confidence on the order of 80 to 90 percent for the 
dual sensors, and approaching 100 percent for the dual model- 
comparison-monitored servos. 

PAAS could include capability for manual redundancy management as 
backup to the automatic fault localization/reconfiguration. The 
PAAS data bus could be switched manually from dual operation to 
Channel I or Channel II as indicated in Figure 3-3. Sensor and 


98 



servos could be manually selected on IDCC pages as shown in 
Figure 3-4. 


3.2 PAAS RELIABILITY ANALYSIS, 

PAAS is configured to provide an order of magnitude improvement 
in functional reliability at a reasonable cost with respect to 
conventional architectures. Effectiveness of the PAAS architecture 
is therefore analyzed by comparing PAAS Autopilot and Navigation 
function reliability with respect to a hypothesized "conventional” 
system. The reliability analysis also compares the maintenance 
failure rate of PAAS and the "conventional" system to give some 
indication of PAAS relative life cycle cost. 

The "conventional" system component list, and associated failure 
rates, are compiled in Table 3-1. This system includes current 
devices required to give functional capability similar to that of 
PAAS. Communications, navigation, flight control, performance 
computations, configuration monitoring, and weather radar are in- 
cluded. Where possible, failure rates are King Radio Corporation 
tabulations of actual operational experience. Honeywell Reliabil- 
ity Engineering Group provided generic estimates where operational 
experience was not available. The PAAS computer unit reliability 
prediction is extrapolated from the DAAS hardware mechanizations. 

The "conventional" system maintenance failure rates are sximmed to 
determine a total failure rate of 1061.5 percent per 1000 hours, 
for a total system mean time between failure of 94 hours. 

The "conventional" system autopilot/navigation functional reli- 
ability was determined by sximming failure rates of components 


99 



100 


nEDUNOANCY MANAGEMENT Pt OF 2 


* AHRSINSEL 

> AUTO 
MAN(CHX) 

’ AHRS GYRO OFF 

> AUTO 

MAN (GYRO XI 

* AtIRS ACCEL OFF 

> AUTO 

MAN (ACCEL XI 

* NAVINSEL 

> AUTO 

> MAN (CM XI 


ADC IN SEL 

> AUTO 
MAN (Cll 

PS SEL 

> AUTO 
MAN (Cll 

IAS SEL 

> AUTO 
MAN (Cll 


XI 

XI 

XI 


REDUNDANCY MANAGEMENT P2 0F2 


RUD SERVO SEL 

> AUTO 
MAN (Cll XI 

AIL SERVO SEL 

> AUTO 
MAN (CH XI 


■ EL SERVO SEL 

> AUTO 
MAN (CH XI 

■ TH SERVO SEL 

> AUTO 
MAN (Cll XI 


REDUNDANCY MANAGEMENT PI OF 1 

STATUS 

AHRS SEL/CII AUTO/1 

AHRSGYRO/ACCEL FAIL X/X 

ADC SEL/CII AUTO/I 

ADC PS/IAS FAIL X/X 

NAV SEL/CII. . . : MAN/I 

NAV FAIL 2 


Figure 3-4. PAAS Manual Redundancy Management 



101 


Table 3-1. Reliability Estimate for a Conventional 
System 


DEVICE 

FAILURE 

RrME 

(Z/tOOO HRS) 

yUANlTl’Y 

MAINTENANCE 
FAILURE RATE 
CONTRIBUTION 
(2/1000 HRS) 

AUTO PILOT/NAV 
FUNCTION FAILURE 
RATE CONTRIBUTION 
(2/1030 HRS) 

COMMENT 

NAV/FI.T (X)NTKOl, SKNSOKS/l NSTRUNENTS 






Yau Hite Cyro 

5. 

1 

5. 

5. 


Magnetic Tran^initter (KMT 112) 

2. 

1 

2. 

0 

Manual slaving assumed if failed. 

Directional Gyro (KSG 105) 

33. 

1 

33. 

33. 


Slave Control (Ki\ 514) 

1. 

1 

1. 

1. 


VfctUjl Gyro (VC 208) 

33. 

1 

33. 

33. 


Pitoc SysCeig, Left 

5. 

1 

5. 

5. 


Pitot System, Right 

5. 

1 

5. 

5. 


Encoding Altimeter (IDC 571) 

20. 

1 

20. 

20. 


Air Djta Conputer (HOC 380) 

20. 

t 

20. 

20. 


VOR Receiver (KN 53) 

25. 

2 

SO. 

2.5 


DM£ Receiver (KN 62A) 

50. 

1 

50. 

- 


Angle of Attack Sensor, Ind 

10. 

1 

10. 

- 


Turn and Bank IiJicator 

15. 

1 

15. 

IS. 


OAT Sensor 

1. 

1 

_u 

- 





26C. 

141.5 


COHTROt.S AND DISPIAYS 






Autopilot Mode Controller (KH(^ 3A0) 

34. 

1 

34, 

34. 


Autopilot Annunciator Panel (KAP 315) 

3. 

1 

3. 

3. 


ADI (KCI 310) 

20, 

1 

20. 

0 

Artificial horizun backup, degrutled perform invc . 

1131 (KPI 553) 

20. 

1 

20. 

0 

Kitl backup, degraded performance. 

KMI (KI 226) 

33. 

1 

33. 

0 

list backup. 

Audio Control Panel (KMA 24) 

20. 

1 

• 2*». 

- 


Failure Annunciator Panel 

3. 

1 

3. 

- 


Airspeed Indicator 

28. 

1 

28. 

28. 


Artificial Horizon (KG 253) 

67. 

1 


0 





228. 

65. 


COMPUTER. ELECTRONICS 






Autopilot Cuiupiiter (KAC 325) 

55. 

1 


55. 


Flight Computer (KCP 320) 

85. 

1 


85. 


KNAV System (KNO 665) 

90. 

1 


90. 


mV Coiiputer (KVN 395) 

«. 

1 


45. 


Performance Cuinputer 

20. 



- 





29S. 

27>. 


























102 


Table 3-1. Reliability Estimate for a Conventional System (Sheet 2 of 2) 





MAUfTENANCE 

AUTO PIUXi/NAV 



FAILURE 


FAILURE RATE 

FUNCTION FAILURE 



HATE 


comiBirrioN 

RATE CONfRlBUnON 


DkiVlCE 

(X/1000 IIRS 

QUANTITY 

(X/1000 HRS) 

(X/1000 HRS) 

CO.'WEtfi’ 

S‘:KV0 ACniATOt’3 

7. 

1 

7. 

7. 


Pitch Servo 

7. 

1 

7. 

7. 


Roll Servo 

7. 

1 

7. 

7. 


Vaw Servo 

7. 

1 

7. 

7. 


Pitch Trim Servo 

5. 

1 

h. 






26. 

26. 


Mc)NlTORINO 






M\P Sensor 

0.5 

2 

1. 

. 

Not recfulred fur Autopilot, NAV Imictiun. 

KPH Sensor 

1 . 

2 

2. 

- 


Fiap Position 

.5 

1 

.5 

- 


Flap Position 

2. 

t 

2. 

- 


Elevator Trim Postlon 

2. 

1 

2. 

- 


Radar Altimeter 

50. 

1 

50. 

- 





57.5 

0 


UrlATHKR RADAR 






Transmi tter/Receiver 

50. 

1 

50. 

_ 

Not re<]uireJ for Autopilu:, H<W function. 

Display Unit 

5. 

1 

5, 

- 





55. 

0 


(■a>HM11NI('ATI0NS 






Ccxiini Transceivers (KY 196) 

33. 

2 

66. 

_ 

Not reqaired for Autopilot, NAV functicni. 

lUliS Transponder 

40. 

t 

40. 

- 


DAUS Control/Display 

30. 

1 

30. 

- 





136. 

0 


EI.ECTUUIM, POUICR SYS'l’EM 






A/C Bus, Aircraft Battery 

.ui 

1 

NOT INCLUDED 

.01 


UC/AC Invertor 

1. 

1 

1. 

* • 


IK;/IK; Converter 

3. 

1 

3. 

3,ti. 1 





4.0 

4.01 




TOl’Ai.: 1056.5 

« '6.51 




MfBF - 94.6 IIRS 

201. IIRS 



















required to provide these functions. Failure contribution of 
dual VOR receivers was considered negligible. The total conven- 
tional system autopilot /navigation function failure rate, assum- 
ing a 1-hour mission, is 496.5 percent per 1000 hours for a mean 
time between loss of function of 201 hours. 

Corresponding PAAS maintenance reliability and autopilot /naviga- 
tion function reliability are compiled in Table 3-2. PAAS main- 
tenance reliability is 50 percent better than the conventional 
system because: 

• High reliability digital electronics employed 

• High reliability solid state sensor technology employed 

® Electronic displays replace conventional instruments 

9 PAAS integrated avionics architecture eliminates hardware 

PAAS autopilot/navigation function reliability is improved by a 
factor of 50 with respect to the "conventional" system, primarily 
due to the fault tolerant PAAS architecture. A PAAS gyro, accel- 
erometer or air data sensor failure can be tolerated without loss 
of a fiinction. A PAAS processor failure, a power supply failure, 
and a servo failure can be tolerated without loss of function. 

This PAAS fault tolerance is accomplished with the minimum of 
redundant hardware, as described in section 3.1. 

PAAS would suffer gross loss of function for certain failure com- 
binations. For example, the PAAS configuration would be totally 
incapacitated by two like bus controller failures. The probabil- 
ity of such failures occurring during a 1-hour flight is extremely 
low, however; for example: 


103 



104 


Table 3-2. Reliability Estimate tor PAAS 


MAINTEHAHCE 

FAILURE FAILURE RATE 

RATE COirrRUUTION 


DEVICE 

NAV/H.T CONTROL SENSORS 

Hdgenetic Transmitter (KKf 112) 

Uiser Cyro, Interface Electronics 
Accelerometer^ Interface Electronics 
Fitot System, Left 
Pitot System, Right 
Static Pressure Transducer 
Differential Pressure Transducer 
VOR Receiver (KH S3) 

DME Receiver (KN 62A) 

Angle of Attack Sensor 
OAT Sensor 

CONTROLS AND DISPIAYS 

Autopilot Mode Controller (KHC 340) 
EADl 0is|)lay, Controls 
EIISI Display, Controls 
IIXX, Display, Controls 

COMPUTER. E!.E(TR0N1CS 

Processor (80B6, Memory) 


A/D, D/A, MUX 
Hubble Memory System 

SER VO ACTUATORS 

Pitch Servo 

KoU Servo 

Your Servo 

Pitch Trim Servo 


(7./1000 HRS) 




AUTO PILOT/NAV 
FUNCTION FAILURE 
i RATE CONTRIBUTION 
' (I/IOOO HRS) 

COMMENT 

1 

Manual periodic heading alignment reuuired 
if RWT 112 fails. 

2. 

90X fault Isolation capability assuiuci.. 

2. 

90Z fault isolation capability assunied. 

.5 

90T. fault isolation capability assuitked. 

.5 

90Z fault Isolation capability assumed. 

1. 

90Z fault isolation capability assim.ed. 

1 . 

907. fault isolation capability assumed. 

0. 

Manual switching if required. 

_ii 

7.1 

90X fault isolation capabllitv assumed. 

0 

IDCC page for backup. 

0 

Manual switciiing of displays. 

0 

Manual switching of displays. 

0 

0 

Basic NAV page available on EHSl displays. 

1.8 

Autopilot, NAV, ADC, AlIRS, RAU, Bus Controller 
processors only. 95X fault isolation 
capabiltiy assummed. 

.6 

93X fault issolation capability assuiiuneJ. 

0 

2.4 

Not required unless another failure occurs. 

^ 0 

Servo*model comparison uionltcring for 
fault isolation. 

0. 

Servo-model com|>arlson Rionitoring lor 
fault isolation. 

0 

Servo-model comparison monitoring for 
fault Isolation. 

0 

1 

0 

Servo-model comparison monitoring for 
fault isolation. 


1 





















105 


Table 3-2. Reliability Estimate for PAAS (Sheet 2 of 2) 





MAINTENANCE 

AUTO PILOT/NAV 



FAILURE 


FAILURE RATE 

FUNCTION FAILURE 



KATE 


CONTK18UT10N 

RATE CONTRIBUTION 


DEVlCt; 

(y./l030 IIRS) 

QUAMTllT 

(X/IOOO HRS) 

U/1000 HRS) 

COMNET 

M12N1T0R SKNSOKS 






M\P 

0.3 

2 

1. 

_ 

Nut required for AuCopllu.:, NAV timetion. 

Kl’H 

1, 

2 

2. 

- 


Cowl ('lap Posicion 

.3 

1 

.5 

- 


Flap 1‘oslMon 

2. 

1 

2. 

- 


Elevator Trin) Post lion 

2. 

1 

2. 

- 


Radar AltlnieCer (RT 221) 

30. 

1 

W. 

- 





57.5 

0 


UEATUEK RADAR 






Traniiu' cter/Keco Iver 

jO. 

1 

SO, 

- 

Not required for Autopilot, NAV function. 




50. 

0 








CoLvii Traasceivera (KY 196) 

3J. 

2 

66. 

. 


TranapnJar 

43. 

1 

4J. 

- 





106. 

) 


Fi.:: :rru ;» . *>./•:!> j.mt ai 






A/C 28VJ‘.' Hur«, Aircraft '?a:.'.ery 

.01 

1 

NOT INCLUDED 

.01 

Pilot dlseni^J/.eiucnl. o'.* 6t ':!i*v a . 

PAAS Rattcry 

10. 

1 

10. 

0 

PAAS !edi|;n utiiat operate wHliOiit UaLtery, 

Laser Gyro Power Supply 

1. 

1 

1. 

1. 


DC/D*'} Converter 

i. 

2 

6. 

_a_ 

95X fault isolation capability j»siiined. 




17. 

1.31 




TOTAL: 228.5 

10.8 




KTBP - 137 HRS 

9260 MRS 















2 —8 

Dual Failure Probability = (lg(^ t ) = 1 x 10 

where : 

= bus controller failure rate = 10%/1000 hours 
t = time = 1 hour 

The two-failure probability is similar to the order of magnitude 
of Military aircraft fly-by-wire flight control catastrophic 
failure rate. 


3.3 PAAS COST ANALYSIS 

PAAS and "conventional" system cost estimates, compiled in Tables 
3-3 and 3-4, indicate that the PAAS costs are similar to those 
for a conventional system. 

The cost figures used in the analysis were current King Radio 
catalog prices where available, or rough estimates based on simi- 
larity where catalog prices were not available. The PAAS com- 
puter cost estimate is an approximation extrapolated from the 
DAAS hardware mechanization. No estimate is available for the 
PAAS laser gyro AHRS, so a cost number corresponding to an electro- 
mechanical device was used. Conclusions are not affected even if 
this number is significantly increased. 

PAAS thus provides dramatic improvements in functional reliability 
without significantly increasing system costs. PAAS total costs 
are contained because PAAS is integrated and does not require 
dedicated controls and displays for its functions. 


106 



Table 3-3. Cost Estimate for a Conventional System 


Device 

Quantity 

Estimated 

Cost 

(Dollars) 

. Basis For 
Estimate 

NAV/FLT Control Sensors 




Yaw Rate Gyro 

1 

1,200 

Catalog 

Magnetic Transmitter (KMT 112) 

1 

205 

Catalog 

Directional Gyro (KSG 105) 

1 

2,495 

Catalog 

Slave Control (KA 51A) 

1 

60 

Catalog 

Vertical Gyro (VG 208) 

1 

4,303 

Catalog 

Pitot System, Left 

1 


Pitot System Right 

1 



Encoding Altimeter (IDC 571) 

1 

4,629 

Catalog 

Air Data Computer (KDC 380) 

1 

1,785 

Catalog 

VOR Receiver (KN 53) 

2 

3,730 

Catalog 

DME Receiver (KN 62A) 

1 

3,225 

Catalog 

Angle of Attack Sensor, Ind. 

1 

2,566 

Catalog 

Turn and Bank 

1 

700 

Catalog 

OAT Sensor 

1 

100 

Estimate Only 

Subtotal 


24,998 

Controls and Displays 




Autopilot Mode Controller 

1 

885 

Catalog 

(KMC 340) 

Autopilot Annunciator Panel 

1 

520 

Catalog 

(KAP 315) 



ADI (KCI 310) 

1 

5,610 

Catalog 

HSI (KPI 553) 

1 

7,200 

Catalog 

RMI (KI 226) 

1 

2,205 

Catalog 

Audio Control Panel (KMA 24) 

1 

675 

Catalog 

Airspeed Indicator 

1 

170 

Catalog 

Artificial Horizon (KG 253) 

1 

1,250 

Catalog 

Subtotal 


18,515 

Computer, Electronics 




Autopilot Computer (KAC 325) 

1 

3,035 

Catalog 

Flight Computer (KCP 320) 

1 

4,465 

Catalog 

RNAV System (KNC 665) 

1 

5,985 

Catalog 

VNAV Computer (KVN 395) 

1 

3,305 

Catalog 

Performance Computer 

1 

14,200 

Catalog 

Subtotal 


30,990 


107 











Table 3-3. Cost Estimate for a Conventional System (Sheet 2 of 2) 


Device 

Quantity 

Estimated 

Cost 

(Dollars) 

Basis For 
Estimate 

Servo Actuators 




Pitch Servo 

1 

2,140 

Catalog 

Roll Servo 

1 

2,140 

Catalog 

Yaw Servo 

1 

2,140 

Catalog 

Pitch Trim Servo 

1 

1,665 

Catalog 

Subtotal 


8,085 


Monitoring 




Failure Annunciator 

1 

75 

Estimate Only 

MAP Sensor 

2 

200 

Estimate Only 

RPM Sensor 

2 

1,200 

Estimate Only 

Cowl Flap Position 

1 

100 

Estimate Only 

Flap Position 

1 

100 

Estimate Only 

Elevator Trim Position 

1 

100 

Estimate Only 

Radar Altimeter 

1 

2,350 

Catalog 

Subtotal 


4,125 


Weather Radar 




Transmit ter /Receiver 

1 

13,000 

Split Estimate 

Display Unit 

1 

7,000 


Subtotal 


20,000 


Communications 




Comm Tranceivers (KY 196) 

2 

3,510 

Catalog 

DABS Transponder 

1 

2,000 

Estimate Only 

DABS Control/Display 

1 

4,000 

Estimate Only 

Subtotal 


9,510 


TOTAL 


$116,223 



108 















Table 3-4. Cost Estimate for PAAS 


Device 

Quantity 

Estimated 

Cost 

(Dollars ) 

Basis For 
Estimate 

NAV/FLT Control Sensors 




Magnetic Transmitters 

1 

205 

Catalog 

(KMT 112) 

Laser Gyro, Interface 


8,000 

Estimated of 

Electronics 



basis of cost 

Accelerometer, Interface 



of electromechan- 

Electronics 



ical replacement 

Pitot System, Left 
Pitot System, Right 
Static Pressure Transducer 

2 

800 

Estimate Only 

Differential Pressure 

2 

800 

Estimate Only 

VOR Receiver (KN 53) 

2 

3,730 

Catalog 

DME Receiver (KN 62A) 

1 

3,225 

Catalog 

Angle-of-Attack Sensor 

1 

828 

Catalog 

OAT Sensor 

1 

100 

Catalog 

Subtotal 


17,688 


Controls and Displays 




Autopilot Mode Controller 

1 

885 

Catalog 

(KMC 340) 

EADI Display, Controls 

1 

7,000 

Estimate Only 

EHSI Display, Controls 

1 

7,000 

Estimate Only 

IDCC, Display, Controls 

1 

8,000 

Estimate Only 

Subtotal 


22,885 


Computer, Electronics 




Processor (8086, Memory) 

11 

9,600 

Estimate Only 

Power Supply and Misc. 


6,000 

Estimate Only 

A/D, D/A, MIX 

2 

2,000 

Estimate Only 

Bubble Memory System 

1 

2,000 

Estimate Only 

Subtotal 


19,600 


Servo Actuators 




pitch Servo 

2 

4,280 

Catalog 

Roll Servo 

2 

4,280 

Catalog 

Your Servo 

2 

4,280 

Catalog 

Pitch Trim Servo 

2 

3.330 

Catalog 

Subtotal 


16,170 



109 




















Table 3-4. Cost Estimate for PAAS (Sheet 2 of 2) 


Device 

Quantity 

Estimated 

Cost 

(Dollars) 

Basis For 
Estimate 

Monitor Sensors 




MAP 

2 

200 

Estimate Only 

RPM 

2 

1,200 

Estimate Only 

Cowl Flap Position 

1 

100 

Estimate Only 

Flap Position 

1 

100 

Estimate Only 

Elevator Trim Position 

1 

100 

Estimate Only 

Radar Altimeter (RT 221) 

1 

2,350 

Catalog 

Subtotal 


4,050 


Weather Radar 




Tran emitter /Receiver 


13,000 

Transceiver /display 




Split Estimate 

Subtotal 


13,000 


Communications 




Comm Transceivers (KY 196) 

2 

3,510 

Catalog 

DABS Transponder 

1 

2,000 

Estimate Only 

Subtotal 


5,510 


TOTAL 


$98,903 



110 
















3.4 PAAS MAINTAINABILITY ANALYSIS 


The projected advanced Avionics System (PAAS) maintenance test 
concept is depicted in Figure 3-5. Highly effective avionics 
built-in test (BIT) is anticipated. On-aircraft functional test- 
ing and fault localization to a module within an LRU are expected 
to be feasible with minimal test equipment. The fixed base oper- 
ator could exploit the BIT capability and minimize his special 
purpose test equipment and become more a storehouse of replace- 
able modules. The avionics should include capability for on- 
aircraft trouble shooting by the fixed base operator. Faulty 
modules could be repaired at the factory. 

BIT design objectives consistent with the above maintenance phil- 
osophy are: 

• Minimize fixed base operator test capability requirements 

• Maximize BIT fault localization capability 

Of course, the resulting BIT mechanization must not significantly 
inci^ease avionics cost. 

DAAS BIT modes include: 

• In-flight test 

• Functional test/fault localization - automatic 

• Functional test/fault localization - interactive 

• Maintenance trouble shooting 

In-flight -test is continuous and will generate a warning when a 
detected failure will disable a system function. The DAAS will 
automatically reconfigure for computer unit processor failures. 


Ill 



112 



ON AIRCRAFT MAINTENANCE 

• FUNCTIONAL TESTING - 95% CONFIDENCE 

• FAULT LOCALIZATION TO LRU - 90% CONFIDENCE 

• FAULT LOCALIZATION TO REPLACEABLE MODULE - 
80 - 90% CONFIDENCE 

• TESTING. TROUBLESHOOTING VIA IDCC 



FIXED BASE OPERATOR 

• ON AIRCRAFT MAINTENANCE 

• LIMITED GENERAL PURPOSE TEST EQUIPMENT 

• REPLACEABLE MODULE STOCK 

• LRU STOCK — (LINE REPLACEABLE UNIT) 



DEPOT/FACTORY 

• MODULE. LRU ATE 

• STANDARD LRU ATE BUS INTERFACE 

• MODULE. LRU REPAIR 

• SPARE PARTS STOCK 


Figure 3^5. PAAS Maintenance Concept 




In-flight failures that are detected by BIT will cause the amber 
warning light to flash. A message will be displayed on the IDCC 
on the line reserved for warning messages. The message will be, 
"Device Failure" followed by identification of the failed device. 
(Vertical Gyro, Compass, etc.). 

Functional Test/Fault Localization, Automatic, is performed at 
power-up, or when commanded by the operator, and tests system 
components as feasible without operator interaction. This test 
function exercises DAAS equipment and identifies failed LRUs as 
well as failed modules within the LRU as feasible. 

Functional Test/Fault Localization, Interactive, is performed on 
command and allows testing of devices where operator actions or 
observations are necessary to complete a test. IDCC and EHSI 
test pattern tests are included in DAAS as examples of avionics 
interactive testing. 

Maintenance trouble shooting allows the operator to apply signals 
and measure signals via IDCC. Memory words can be displayed. 
Analog and discrete signals can be applied at computer outputs, 
and various system analog and discrete signals can be measured 
and displayed. 

Fault localization and replacement of a faulty avionics line re- 
placeable unit can be accomplished in mean time of 15 minutes 
with the level of BIT envisioned for PAAS. Repair of a faulty 
unit, i.e., fault localization and replacement of a faulty part, 
can be accomplished in mean time of 1 hour. 

PAAS packaging must be designed to allow operator removal of 
hardware modules and continued operation with only partial loss 
of function. 


113 



3.5 PAAS MODULARITY ANALYSIS 


PAAS is designed to be modular. The system is constructed of 
building blocks that can be configured to provide varying levels 
of functional capability depending on user requirements. The 
design is intended to facilitate addition of functions without 
major upheaval to the existing aircraft control panel or existing 
avionics. 

Modularity is achieved through: 

• System architecture 

• Controls and displays modularity 

• Hardware modularity 

• Software modularity. 

Basic system architecture, i.e., multimicroprocessors inter- 
connected via data bus, supports modularity. Functions can be 
added by adding appropriate process or modules, and the process- 
ing can interface to the system through the data bus. 

PAAS employs programmable controls and displays that can be re- 
configured for various functional complements. The IDCC includes 
basic mechanical controls (keyboard page callup buttons, etc.) 
and a programmable display. The basic display module is the dis- 
play page. The page can be used as a function control panel or 
for required data and information input/output. The EHSI and 
EADI are displays that can be programmed for the set of functions 
included in a particular PAAS installation. 

PAAS hardware is modular. Standard modules can be added to pro- 
vide computing power, memory, or I/O required for added functions 


114 



PAAS software is structured and modular. Each of the hardware 
modules are programmed with independent software modules that 
require minimum interfaces with other functions. These software 
modules are developed using structured design techniques. The 
system modularity has been demonstrated by addition of the DABS 
function. 

The integration of DABS into DAAS late in the DAAS development 
program demonstrates basic modularity. Incorporation of DABS 
required — 

« Installing a DABS transponder in the aircraft, and interfac- 
ing it to the DAAS computer unit. 

• Adding a DABS processor module, including software, and two 
DABS interface electronics modules to the DAAS computer unit. 

• Adding three DABS pages to the IDCC. 

• Adding a DABS "Message Pending" light to the panel. 

The DAAS processor module is appropriate for DABS computations. 
DAAS keyboard and IDCC page formats are appropriate for DABS. 
Consequently, DABS readily fit into the DAAS framework. PAAS 
modularity is further assessed in the following paragraphs. 

3.5.1 PAAS System Modularity 

PAAS system modularity is demonstrated in Figure 3-6. The vari- 
ous levels of functional capability are depicted. The core PAAS 
functional entity is the autopilot. 

The autopilot processor and a basic I/O terminal are required for 
this function. 


115 



116 


< IUI8LE 
SMEMORV 


\\XN\\N\SS\N\>| 
VAHRS StNSORSH — 

fUUI — 
fHQI.N.f.l — 
::::Wt:;: _ 

CONflCURATION — 

tic — 


■■(ZIE 

mOT2=»' 



^stRvosen ^hrs sensors 

^ ► SERVO StT 2 

I/O 

URMINAL 

1 

NAV I It 

ruu2 — ^ 

ENGINE] 

fiUE ^ 

CONFIGURATION — ^ 
ETC. ^ 

zVZ'Z'ZVi 




TrSTETT 

TRANS 



PAAS FUNCTIONAL LEVELS 
I I 1 AUTOPILOT 

2 AIR DATA FUNCTION 

3 AHRS. ADI FUNCTIONS 

4 NAV, EHSI. IDCC FUNCTIONS 

5 DABS 

6 WEATHER RADAR 

7 FAULT TOLERANT CAPABILITY 


1 

I 

1 

I 

III 

omsiiii 






Figure 3-6. PAAS Modularity 


/ 


1 












A second version of PAAS could include the autopilot and the 
air data functions. In this version, the air data function would 
only supply references for the autopilot. Altimeter and IAS data 
sources would be independent . 

A third version of PAAS could have autopilot, air data, AHRS, and 
the electronic ADI that includes the altimeter, IAS and VSI dis- 
plays. 

A fourth version could also include the NAV, EHSI and IDCC 
functions. 

A fifth version could have DABS added, and a sixth version could 
include weather radar data superimposed on the EHSI. 

A seventh version could include the necessary redundant hardware 
for fault tolerant operation. 

Each version of PAAS would be complimented by systems necessary 
for desired functional capability and backup. A particular ver- 
sion of PAAS could include spare room to allow incorporation of 
some additional capability: either the defined next higher level, 

or a yet-to-be-defined advanced capability. 

3.5.2 PAAS Controls and Displays Modularity 

The ideal controls and display configurations from a modularity 
standpoint, would include only general purpose controls. No con- 
trols dedicated to a specific function would be allowed in order 
to minimize impact on panel hardware when a function was added. 

In an idealized PAAS configuration, controls would include a 
general purpose keyboard, and one IDCC page callup button for 
each function. 


117 



DAAS has deviated from this ideal in certain respects: 

• Various dedicated NAV function controls are implemented 
above the IDCC, included with page call-up buttons; i.e., 

USE, CRS, SEL, LAT DIR TO, AUTO CRS SEQ. 

9 Dedicated map control buttons are implemented next to the 
IDCC; i.e., HDG/NOR, MAP/CRSR, MAP RTN, WP BRG, REVU, MAP 
SCALE. 

• Dedicated autopilot mode controller, annunciator panel. 

• Other function controls 

These dedicated function controls were implemented to maximize 
their accessibility. 

Dedicated NAV function controls could be avoided if these controls 
were instead implemented in IDCC pages. The penalty for elimina- 
tion of dedicated NAV function buttons is as follows: 

• One additional button push required to activate LAT DIR TO. 

• One additional button push required to change waypoint data 
access from linked waypoint, to unlinked waypoint. 

The advantage of this approach, in addition to improved modularity, 
is elimination of dedicated NAV function buttons above the IDCC, 
which leaves only page call-up buttons there. This eases system 
comprehension . 

Current dedicated map control buttons do not significantly degrade 
modularity. They can be an integral part of the EHSI assembly. 
Spare control buttons should be included, however, for additional 


118 



functions which use the EHSI, which will also have dedicated con- 
trols; e.g., weather radar. 

The PAAS Autopilot mode controller is a dedicated panel. Acces- 
sibility to the safety critical mode controller seems to preclude 
its incorporation into multifunction control facilities such as 
the IDCC. The autopilot mode annunciator panel would likely be 
incorporated into the EADI if EADI were included in PAAS. 

3.5.3 PAAS Hardware Modularity 

The existing DAAS hardware is modular. The basic hardware build- 
ing block is the processor board, Figure 3-7. This 6.25 by 6.25 
inch printed circuit board includes: 

• INTEL 8086 16-bit microprocessor 
a 2K X 16 PROM Memory 
a 4K X 16 RAM Memory 
a Crystal clock 

a IEEE 488 bus talker/listener/controller 
a Interrupt controller 

If more than 4K x 16 memory is required for a particular PAAS 
processor, a supplemental 6.25 by 6.25 inch memory board is used. 
This memory board can contain up to 12K x 16 additional RAM 
memory. Other hardware modules that could be employed in a PAAS 
system include: 

a EADI, EHSI display refresh memory module 
a Bubble memory module 
a Analog/Discrete I/O modules 


119 





?5JS'« 


»T?ISg9T4,t£v 
tdHS 7'>4«i 
S(«t,APO.!S. 


O <V 


^f.nski'3 , t 


'"iaIIW*"* 






tf ft I 81 I 







PAAS would employ a higher level of circuit integration than the 
existing DAAS system. Custom VLSIC would be economical for PAAS 
for the basic hardware modules. Exploiting modularity of a pro- 
duction version of PAAS requires the following hardware design 
considerations : 

The PAAS computer box must have sufficient room and external 
connector pin capacity to support eventual growth. 

• Power supply - The PAAS power supply must have reserve capac- 
ity to support eventual system growth or else the power sup- 
ply must be changed as functions are added. 

• Data bus throughput - The PAAS data bus must have sufficient 
throughput margin to support eventual system growth. The 
current system IEEE 488 bus is only 30 percent loaded, which 
is consistent with this requirement. The PAAS data bus 
would require higher throughput to accommodate the AHRS and 
weather radar functions. 

3.5.4 PAAS Software Modularity 

PAAS software must be modular. Functions are implemented in 
software modules; i.e., independent programs with single entry 
and exit, separate data locations and clearly defined and con- 
trolled interfaces. Data bus communications are managed in an 
orderly fashion by the bus control processor, with growth in mind. 


121 



SECTION 4 

FABRICATION AND FLIGHnyORTHINESS TEST RESULTS 


Fabrication of the DAAS central computer, IDCC and EHSI was com- 
pleted in November 1980. System integration began on this date and 
concluded in March 1981. System debug and test was performed 
according to standard Honeywell test procedures. Each card and 
software module was testing to the extent practical. System ele- 
ments were systematically integrated and tested. As a final func- 
tional test, a simplified aircraft simulation was included in the 
DAAS software. This simulator allowed for a complete functional 
test of the hardware and software. Flight scenarios similar to 
that described in Section 2 of this report were flown using the 
autopilot and evaluated. This simulation capability was retained 
for the flight test configuration because of it value as a training 
aid. 

In late March 1981, the DAAS system was subjected to the flight- 
worthiness test procedure defined in Hone 3 ^ell Document W0488-FWT-02 . 
This procedure included environmental tests of low temperature at 
altitude, -20°C, 15,000 feet; high temperature at altitude, +50°C, 
15,000 feet and vibration. The Radio Adapter Unit having undergone 
testing at King Radio, was not subjected to these environmental 
tests . 

As detailed in the test plan, each device separately received one 
sine wave vibration scan in each of the three principal axis from 
5 Hz to 500 Hz to 5 Hz. The vibration amplitudes were .01 inches 
DA from 5 to 32 Hz and 0.5 g peak from 32 to 500 Hz for the IDCC 
and the EHSI. The CCU received 1.5 g peak from 55 to 500 Hz with 
the same double amplitude at low frequencies. 


122 



All of the system components manufactured by Honeywell, Inc. 
performed within the specifications defined by the f lightworthi- 
ness environmental test procedure. 



SECTION 5 

INSTALLATION AND FLIGHT TEST 


The installation and flight test of the DAAS was accomplished at 
the King Radio Flight Operations facility in Olathe, Kansas, from 
December, 1980 through November, 1981. 

The equipment was installed by an FAA approved designated altera- 
tion station. Flight testing was done under the guidance of FAA 
designated engineering representatives. Prior to first flight the 
aircraft was inspected by a NASA aircraft inspector. 


5 . 1 INSTALLATION 

The installation work began in December, 1980 when the NASA 402B 
aircraft was delivered to King Radio. Initially, work efforts were 
directed at the removal of any existing equipment that interfered 
with the DAAS installation. Work on the harness was begun. 
Mechanical engineers reviewed the servo installation requirements 
and designed new brackets. A preliminary control panel was cut to 
allow a fit check using mockup equipment . The engine, control 
switches were moved overhead to allow access by either pilot. 

The actual installation of equipment started in April, 1981 when 
the bench testing was completed at Honeywell and the hardware was 
shipped to King Radio. Installation was completed in May, 1981 and 
the aircraft was released for ground test. 


124 



5 . 2 FLIGHT TEST 


5.2.1 Flight Test Schedule 

The flight test schedule is shown in Figure 5-1. 

The flight test plan divided the work into three phases: 

Phase A - Ground Checks 

Phase B - Shakedown and Autopilot Certification 
Phase C - DAAS Evaluation and Acceptance 

The test plan was written to allow as much testing of DAAS functions 
on the ground as was possible. Table 5-1 is a matrix showing which 
DAAS functions were tested in each phase. 



Figure 5-1. Flight Test Schedule 


125 














Table 5-1, DAAS Flight Test Matrix 


DAAS Functions: 

Phase A 

Phase B 

Phase C 

Autopilot 




Yaw Damper 

X 

X 

X 

HDG SEL (Heading Select) 

X 

X 

X 

ALT, ALT ARM (Altitude Hold, Altitude Arm) 

X 

X 

X 

NAV, VNAV Coupled Control 

X 

X 

X 

Approach Coupled Control 

X 

X 

X 

Navigation/Flight Planning 




VOR, VOR/DME Radio Navigation 

X 

X 

X 

10 Waypoints , 10 NAVAID Storage 

X 


X 

Moving Map Display 

X 


X 

VNAV (Vertical Navigation) 

X 

X 

X 

Flight Warning/ Advisory System 




Engine Parameter Monitoring, Warning 

X 


X 

Aircraft Configuration Monitoring, Warning 

X 


X 

Ground Proximity Monitoring, Warning 

X 


X 

Airspeed and Stall Monitoring, Warning 

X 


X 

Altitude Advisory Function 

X 


X 

Marker Beacon Advisory Function 

X 


X 

NAVAID Identification Monitoring, Warning 

X 


X 

Autopilot/Flt . Director Monitoring, Warning 

X 

X 


BIT Fault Warning 
GMT Clock Function 

X 

X 


X 

Fuel Totalizer Function 
Weight and Balance Computations 

X 

X 

X 

X 

Performance Computations 




Takeoff Performance 

X 


X 

Cruise Performance 

X 


X 

Fuel/Distance Time Computations 

X 


X 

DABS (Discrete Address Beacon System) 




BIT (Built in Test) 

X 

X 

X 

Normal, Emergency Checklists 

X 


X 


126 











5.2.2 Ground Test 


Ground tests were conducted using ramp generators 
equipment to simulate aircraft flight conditions, 
individual tests were conducted. These tests are 
Table 5-2 . 


Table 5-2 . Individual Ground Tests 


1. 

Initial System Setup 


2. 

Compass /Directional Gyro 


3. 

Attitude Indicator and Vertical 

Gyro 

4. 

Flight Director 


5. 

Commanded Built-In Test 


6. 

Heading Select Mode 


7. 

Go Around Mode 


8. 

Altitude Hold 


9. 

Trim Modes 


10. 

NAVAID Data Entry 


11. 

Waypoint Data Entry 


12. 

Nav Radio Tuning 


13. 

Nav Mode 


14. 

VNAV Mode 


15. 

Altitude Arm 


16. 

Approach Mode 


17. 

Pitch Axis Autopilot 


18. 

Roll Axis Autopilot. 


19. 

Yaw Axis Autopilot 


20. 

Manual and Auto Pitch Trim 


21. 

Autopilot/Yaw Damper Disengage 

Logic 

22. 

EHSI Map Display 


23. 

Flight Warning/ Advisory System 


24. 

Weight and Balance Calculations 


25. 

Performance Calculations 


26. 

Checklists and Emergency Procedures 

27. 

Comm Radios and Audio System 


28. 

Altimeters and AOA 


29. 

Airframe and Engine 



and other test 
Twenty-nine 
tabulated in 


127 





5.2.3 Shakedown Flights 


The shakedown flights were required to check overall aircraft con- 
ditions and to perform a functional scan of all modes and equipment. 
The aircraft had not been flown for seven months and therefore its 
condition was not known. The attitude hold, heading hold, altitude 
hold and nav systems were checked with the flight director; 
approach modes were similarly checked. Problems were investigated 
and corrected. The autopilot was engaged when it was determined 
to be safe. The servo torques and rates were adjusted to the levels 
required to properly fly the aircraft . 

5.2.4 "Certification" Flights 


The "certification" flights verified that the autopilot could safely 
fly the aircraft and that it could not (in any mode or due to any 
failure) jeopardize the safety of the aircraft. Table 5-3 provides 
the list of malfunctions tested. Table 5-4 lists the twenty-six 
flight conditions where the malfunctions were done. The manual 
trim system was also tested to verify safe operation in all con- 
ditions. No attempt was made to actually obtain a supplemental 
type certificate for the DAAS. 


128 



Table 5-3. Malfunctions Tested 


Single Axis 

Hard Left Aileron 
Hard Right Aileron 
Hard Left Rudder 
Hard Right Rudder 
Hard Up Elevator 
Hard Down Elevator 
Hard Up Autotrim 
Hard Down Autotrim 





Multiple Axis 


Hard 

Down 

Elev. 

Hard Left Aileron 

Hard Left Rudder 

Hard 

Down 

Elev. 

Right 

Right 

Hard 

Down 

Elev. 

Right 

Left 

Hard 

Down 

Elev. 

Left 

Left 

Hard 

Down 

Elev. 

Right 

Right 

Hard 

Down 

Elev. 

Left 

Right 


129 



5.2.5 Evaluation Flights 


The flight test program was flown by King Radio test pilot 
Lloyd Bingham with periodic flights by NASA Project Pilot, 

Gordon Hardy. Approximately seventy hours were flown during 
the program. The program finished with flight demonstrations 
to industry conducted at King Radio, Olathe, Kansas from November 
9 through November 17. Fifteen pilots have flown the aircraft 
to date and the overall evaluations have been favorable. Tables 
5-5 and 5-6 tabulate some of the comments received on the system. 

Many of the discussions after the flight centered on the functions 
which could be implemented in an integrated system. A built-in 
simulation mode was included for troubleshooting and software 
debug. This function was left in the system for pilot training. 
The major problem during demonstrations was to minimize pilot 
headdown time and to keep from overloading the pilot with too 
much data. 


Table 5-4, Airworthiness Testing 


Condition 

Trim Speed 

AC 

Weight 

C.G. 

Altitude 

Servo Torques 

Climb 


Worst Case 

Rear 

Low 

Maximum 

Cruise 

7 

Level flight 

Worst Case 

Rear 

Low 

Permissible 

Maximum 

Maneuvering 

Level flight 

Worst Case 

Rear 

Low 

Permissible 

Maximum 

Descent 


Worst Case 

Rear 

Low 

Permissible 

Maximum 

Climb 


Worst Case 

Rear 

Mid-Range 

Permissible 

Maximum 

Cruise 

y 

Level flight 

Worst Case 

Rear 

Mid-Range 

Permissible 

Maximum 

Maneuvering 

Level flight 

Worst Case 

Rear 

Mid-Range 

Permissible 

Maximum 

Descent 

AP 

Worst Case 

Rear 

Mid-Range 

Permissible 

Maximum 

Climb 

mo 

V 

Worst Case 

Rear 

High 

Permissible 

Maximum 

Cruise 

7 

Level flight 

Worst Case 

Rear 

High 

Permissible 

Maximum 

Maneuvering 

Level flight 

Worst Case 

Rear 

High 

Permissible 

Maximum 


AP V „ 

Worst Case 

Rear 

High 

Permissible 

Maximum 

Approach 

mo 

1,3 

Worst Case 

Rear 

Low 

Permissible 

Maximum 

SO 




Permissible 

Re 

peat all of the 

above for single engine operation. 


130 




Table 5-5. System Comments 


Positive 

\yp Insert /Map Edit/LAT DIR to 

Map Review 

Morse Code Check 

Weight and Balance 

Moving Map Helps Orientation 

Warnings 

Negative 

Manual Paging on the Checklist 
Checklists not Programmable by Pilot 
Active Checklist Item not Emphasized 
Clutter on EHSI 
No Altitude Preselect on EHSI 

Mixed 

Compass Tape Vs Card or Arc 


Table 5-6. Hardware Comments 


Positive 

Sunlight Readability of CRT 
Keypad Layout 

Negative 

Keypad too Stiff /No Tactile Feel 
Manual Dimming on CRT 
No Voice Warnings 
Raster Scan Looks Ragged 
Pushbuttons Should be Guarded 


131 






SECTION 6 

CONCLUSIONS AND RECOMMENDATIONS 


The DAAS system design has been completed and flight tested. 
Simulator evaluations have been performed. The PAAS configura- 
tion has been defined and analyzed on the basis of cost, reliabil- 
ity, maintainability, and modularity. The following conclusions 
and recommendations are based on the experience associated with 
this effort to date. 

• Functional Configuration - DAAS provides expanded functional 
capability with respect to currently available avionics and 
has the potential to significantly improve single pilot IFR 
safety and efficiency. The DAAS architecture provides the 
framework for additional expansion without the requirement 
for added displays. This is accomplished by using the shared 
data base, displays and bus. The distributed architecture 

of the system provides for functional independence. This 
minimizes the number of needed interfaces between functions 
and thereby reduces data input and subsequent pilot training. 

• Function Set - The DAAS function set is comprehensive and. 
suitable for demonstration. Operational simplification and 
functional additions have been suggested that may be appro- 
priate for an operational system. 

• Cost - The DAAS concept is cost effective, and has cost ad- 
vantages with respect to conventional avionics as the number 
of integrated functions increase. 


132 



• Reliability - The DAAS system architecture reduces computer 
system failure rate to a negligible portion of the total 
system failure rate. Sensor and servo failure rates dominate. 
Low cost sensor and servo redundancy should be pursued with 

a goal of 10,000 hours in-flight MTBF for autopilot and basic 
navigation functions to provide extremely reliable pilot re- 
lief to facilitate effective flight management. The PAAS 
configuration promises much higher functional reliability. 

• Maintainability - DAAS offers improvements in avionics main- 
tainability through improved reliability, automatic fault 
detection and isolation, and on-aircraft trouble shooting 
without special test equipment. 

• Modularity - DAAS is functionally modular, with general pur- 
pose controls and displays, and hardware and software build- 
ing blocks to provide varying levels of capability. Expan- 
sion of capability has minimum impact on the existing aircraft 
control panel and existing avionics. 

Following is an expansion of these conclusions and recommendations. 


6-1 FUNCTIONAL CAPABILITY 

The DAAS system provides comprehensive facilities for flight 
management. Concensus of evaluations is that DAAS provides im- 
proved functional capabilities with respect to current avionics, 
and has the potential to significantly improve single pilot IFR 
efficiency and safety. Checklists, weight and balance, and per- 
formance functions are convenient to use, and they support good 
pilot practices. The moving map display, IDCC data readout, and 


133 



comprehensive warning system inform the pilot of flight status. 

The autopilot, which couples to the NAV system, provides the 
necessary relief that allows the pilot to monitor and effectively 
manage his flight. 

The DAAS moving map display is well received and considered a 
major aid in flight management. However, the . following enhance- 
ments have been suggested: 

9 Terminal area display could be expanded to include stored 
approach plate details. Automated terminal area flight 
management including coupled NAV and autothrottle functions 
should be considered. 

9 It would be desirable to accurately display the runway during 
landing approach. This could, perhaps, be feasible if 1) a 
strapdown AHRS with short term INS capability were a part of 
DAAS, or 2) MLS were included, or 3) GPS were included, or 
4) ILS/DME navigation mode were included. 

9 A color map display would be useful to facilitate increased 
display information content. 

9 Expansion of DABS to aid in congested terminal area communi- 
cations would be desirable. 

9 Incorporation of an EADI into DAAS would be an appropriate 
follow-on effort to further develop the concept. 

The DAAS function set is considered representative and adequate 
for demonstration purposes. There are areas where changes might 
be considered for an operational system. 


134 



6 . 2 COST 


DAAS includes significantly more functional capability at a cost 
competitive with conventional avionics, as illustrated in section 
3.3. The DAAS cost advantage will become more decisive as more 
functions are incorporated. For example, DAAS could be expanded 
to integrate: 

9 Weather radar 
9 Air data computer 
9 Autothrottle 

9 Automatic storage of airport facility data 
9 AHRS 

9 Radar altimeter 
9 Other functions 

Therefore, with each function added total system cost per func- 
tion would come down since packaging power supplies, and controls 
and displays are shared in DAAS and need not be duplicated for 
separate functions. 

Consequently, the DAAS concept of integrated avionics is cost 
effective. 


6.3 reliability, SAFETY 

The PAAS system reliability, including sensors, instruments, 
computers, and servos is estimated to be 137 hours MTBF. This 
system reliability is expected to improve as integrated circuit 


135 



technology advances, and electromechanical devices are replaced 
by solid state devices. 

The existing DAAS NAV/Autopilot function reliability is estimated 
to be 9260 hours mean flight time between loss of function. 

The DAAS architecture, using advanced electronics, has produced 
a very reliable computer system. Consequently, DAAS reliability 

was affected mainly by sensor and servo failure rates; e.g. , 
system sensors and servos contribute 96 percent of the autopilot 
failure rate. Since the autopilot and NAV functions are essen- 
tial to effective flight management, it is recommended that low 
cost redundant sensor and servo configurations be pursued, with 

a goal of 10,000 hour NAV/ autopilot flight MTBF. The DAAS 
architecture can cost effectively provide such reliability. 

The failure mode effects analysis of 86 DAAS elements concludes 
that, with recommended modifications implemented, DAAS failures 
are tolerable and safe. The DAAS safety pilot's contribution to 
flight safety is also acknowledged, especially in take-off and 
landing situations. 

System safety can be improved using the DAAS concept . Providing 
accessable and easy to use weight/balance and performance calcula- 
tions and checklists will -increase. The frequency of use. Compre- 
hensive warning and built-in-test functions will detect conditions 
that are currently not testable. Increased functional capability 
will reduce pilot work load. 

6.4 MAINTAINABILITY 

DAAS concept offers improved maintainability through: 


136 



o Improvements in hardware reliability 


• Built-in test for automatic fault detection, localization 

• Capability for on-aircraft trouble shooting without special 
test equipment . 


6 . 5 MODULARITY 

The DAAS system is functionally modular. It is composed of hard- 
ware and software building blocks that can be configured to pro- 
vide varying levels of functional capability and cost. Expansion 

of capability will have minimum impact on the existing DAAS air- 
craft control panel and avionics. 

The DAAS system can be adapted to interface with devices from a 
variety of manufacturers. For example, hardware and software 
modules could be developed to allow use of different NAV receivers, 
even if the NAV receivers were not equipped for remote tuning. 
Manual tuning would be required in this version of DAAS, on com- 
mand from the IDCC. The system can also accept input signals 
from sensors supplied by a variety of manufacturers. The variety 
of subsystems with which a production version of DAAS would be 
compatible would be determined in a marketing study. 

DABS integration into DAAS late in the DAAS development program 
demonstrates basic modularity. Incorporation of DABS required: 

9 Installing a DABS transponder and control panel in the air- 
craft, and interfacing it to the DAAS computer unit. 

9 Adding a DABS processor module, and two DABS interface elec- 
tronics modules to the DAAS computer. 


137 



9 Adding three DABS pages to the IDCC. 


9 Adding a DABS "Message Pending" light to the panel. 

The DAAS processor module is appropriate for DABS computations. 
DAAS keyboard and IDCC page formats are appropriate for DABS. 
DABS readily fit into the DAAS framework, thereby demonstrating 
that DAAS is a highly modular system. 


138 



GLOSSARY 


ADI - altitude direction indicator 

AHRS - Altitude Heading Reference System 

ALT - altitude, altitude hold 

APPR - Approach 

ARM - arm 

ATC - Air Traffic Control (National) 

BIT - built-in test 

CC - central computer 

ecu - central computer unit 

COM - communication 

COMM - communication message 

CPU - central processor unit 

DAAS - Demonstration Advanced Avionics System 

DABS - Discrete Address Beacon System 

DME - distance measuring equipment 

EEPROM - Electrically Eraseable PROM 

EHSI - electronic horizontal situation indicator 

ELM - extended length message 

EPROM - electrically alterable PROM 

ETA - estimated time of arrival 

FAR - federal aviation regulation 

FDI - flight director indicator 

GMT - Greenwich mean time 


139 



GLOSSARY 


GS - glideslope 

HDG - heading 

IAS - indicated air speed 

IDCC - integrated data control center 

IFR - instriiment flight regulations 

LOG - localizer 

MDA - minimum descent altitude 
MLS - microwave landing system 
NAV - navigation 
NAVAID - navigational aid 

PAAS - Projected Advanced Avionics System 

PROM - programmable read-only memory 

RAM - random access memory 

RAU - radio adapter unit 

RMI - radio magnetic indicator 

ROM - read-only memory 

RPM - revolutions per minute 

SEL - select 

SM - standard message 

UV - ultra-violet 

UV-EPROM - ultra-violet eraseable PROM 
VER - visual flight regulations 
VHF - very high frequency 


140 



GLOSSARY 


VNAV - vertical navigation 

VOR - VHF omnidirectional (omni) range 

VOR/LOC - VOR localizer 

VOR/LOC/GS - VOR localizer glideslope 

VSI - vertical speed indicator 


141 



This Page Intentionally Left Blank 



APPENDIX A 

DAAS FAILURE MODES AND EFFECTS ANALYSIS 


143 



144 


FAILUKL 

III). UMS LLCMEliT 

UQ FAILURE 

FAILURE 

RATE*1J‘ 

AFFECTED 

ELLI'lEliTS 

EFFLCTS OF FAILURE 

UAAS 

UAKN. ETC. 

FAILURE 

CATEOORV 

CUbiLi.Tb 

1 Encoding Alti- 

meter 

-571 Fault 

within the 
Altim. 

200 

AI time ter 
Indlca tor 

Erroneous Visual Output 

Yes, Poi^er 
Servo Loop 

3 

During IFR-coikiiliuns. 
Proximity Warn, uo nut 
uetect. Vertical Obstacles 




Dabs Transpond. 
KT76A 

Erroneous Output 

M 

Error Check 
Amber Light 

3 

Hisleads Traffic Cuntrol. 




A/P CPU 

Erroneous 

"0. Proximity Warn." 



wrong Warn. Tnresnuld 




A/P u lUCC CPU 

Erroneous “Alt. Advisory* 
Light Info. (Alt. Alert. 
iiUA t Dll.) 


2 

"hecundary Effect" 




A/P a hAV CPU 

Erroneous Paraneter 
T.O. A Nav. Calculation 


3 

Wruinj Fuel or T.U.- 
Uistance Calculation. 

Conclusion: Far 91 do not require redundant altinmters for Cat. 1 IFK. only for CAt 11. 

The Probability for a failure is ' 10'T during 4 hours fit. significant! 

The co-pilot instruimntation required in OAAS. OK. 

2 Co-Pilot 

A1 tine ter 

Fault 
in the 
A1 tine ter 

200 

AI time ter 
Indicator 

Erroneous Visual Output 

llo 

2 

Will cause soue inconven- 
ience until decided wbicn 
altim. failed. 


Conclusion : Loss of the co-pilot altitude info is a minor problem to the UAAS pilot. The probability of loss of , i 

botn ^aro-altimers during 4 fit. hrs. is: A- ( Apitot +A a1tim)pilot •( A pitot *A a1t1m)co-pilot ' (4.y50-lU“‘) 

- 10' . A catastrophe will occur if the A/C collides with an object not detected by tlie proximity 
warning system. The probability for this to happen is considerably less than 10'^ . 


] 


] 


1 


1 





145 ' 




1 A 


1 ) ) ) 


itu. 

u\m:> kLUiuiT ' 


FAILUHl m^FlCTlL 
FAlLUkL K/tTL*10^ tUMUJS 

LFFLCTS UF FAILbKL 

uAAS FAILbKL 

Mi.. LTC. UTLUdUY 

CUi'UiLnTb 

J 

Kduir HlCliiUCer 

KTiii;! 

Fdult ill 
iido. Alt. 
Inci. Ant. 

VF U*L a luce 

uJJ 

A/p CPU u LliSI 

Erroneous ‘u. Proxinity 
liarn.“ 

Lrroneuus; RaJ. Alt. Info. 

Rad. Alt. 

Valid. 

(Aiioer Lignt) 2 

Tile farotubiliij 
fur 3aro.»anJ 
KaJ<tr-Al till. Failures 




Conclusion: 

lio Far 'j1 reiiuiremeiit on 
A critical situation (4) 
lleijliyilile iiroCability, 

Rad. Alt. if installed, fail 
occur if both tne oaro. Alt. 
OK. 

. uarn. required. Validity signal UK. 
and Rad. Alt. fails. 

4 

True Air 
Speed Sensor 

VAZIO 

Fault in 
Tas OR 
Sign. Cond. 

luO A/P A ilav. CPU 

LliSl 

Erroneous inputs to Ilav. 
t Fuel consum. 
calculations 

do 2 

Pilot confused, iiignt 
create a proulem if no 
radio Ilav. availaule. 




Conclusion: 

TAS not required by Far Ul, 

It is very unlikely (<1U*‘) tnat a TAS failure Mill cause a critical situation 
due to redundant IAS and VOR/UHE infoniiation. 

in bAAs 

S 

IAS Instru- 
ment 

Pdnel 

Instru- 

iiient 

Failure 

2dU IAS 

Indicator 

Lrroneous visual output 

iio i 





Conclusion: 

Single IAS instruiient UK for Cat I IFK, Far UI. 2 required Cat. II conditions. 

Loss of IAS instrument not critical in DAAS. Redundant visual speed info, available. 

b 

Co-Pilot 
IMS Instru- 
iient 


Instru- 

ment 

Failure 

2dU IAS 

Indicator 

Erroneous visual output 

lio 1 

lleylectable to pilot. 
Redundant info, available 
(IAS . KPH) 




Conclusion: 

Loss of Co-Pilot IAS info, no problem to tiie pilot. 

Tne probability of loss of botn IAS indicators are (mitn reference to fault lio. 2): 
(A'diu-Iu'^)^ '2-I0'^. Tne risk for a catastropne is significantly lower in tne uAAS 
systems since redundant info, such as VOR/liHL and angle of attack are available. UK. 

7 

Air Data 
Coiiipu ter 

KUC- 

330 

Instru- 

ment 

Failure 

2UU A/P CPU 

Erroneous a-il bignal 

Tes 2 

Alt. Valid 
(Amber Ligiit] 

Additional Alt. a VS 
info, available. Tne 
i^iiot monitors Alt. nolo. 




Conclusion: 

Far part 91 do iu>t require a 3rd lAS/ALT. Sensor. 

Tile Alt. /IAS valid and available redundant Info, will ulnlnize risks. 



146 


FAlLbRL 

liU. 

OAAS LUHLitT 

ilU. 

FAILORL 

FAlLbRt 

K«TL»10‘> 

AFFtCTLO 

LLUICIlTS 

IFFLCTS OF FAILORL 

UAAS 

UARll.LTC. 

FAILURE 

CATLCUKV 

COMHtilTS 

d 

Pitot system 

left 

faulty 
PTOT or 
PSTAT 

so 

Altiiimter 
VSI-Indicator 
lAS-lndlcator 
ADC KUC-33d 

Erroneous: 

ALT i ^11 info. 

IAS & VSI 
flight warning 
proximity " 
transponder response 

HO 

3 

Confusing info. 
Risk for wrong 
action in IFR 
cond. Pilot or 
ground control. 

9 

Co-pilot 
pitot system 

right 

faulty 
PTOT or 
PSTAT 

SO 

Altimeter 

VSI-indicator 

lAS-indIcator 

Erroneous visual Info, to 
co-pilot 

110 

1 

Co-pilot not in tne 
control loop. 


Conclusion; 


Dual PITOT systems required by FAR 91 only for CAT. II operations. For UAAS, 
PITOT system provide adequate redundancy. 

The probability of failures In both left and right PITOT systems 
Very low risk'. 


the co-pilot and the right 
Is - ( 4 . SO- 10'* )'mo'\ 


10 Outside air 
temp. 


sensor or 5 IIAV-CPU erroneous input to T.O., liO 2 

sign. cond. cruise, and fuel/distance 

failure calculat. 


Fuel qty. cnecks 
will alarm pilot in 
time for refueling. 
Probability of failure 
low 


Conclusion: lio OAT required by FAR. , , 

OAT failure is not assumed to cause severe pilot problems. It is suggested, liowever, 
tliat inputs to calculations such as OAT ALT etc. are displayed to the pilot when used. 


147 


FAiLURL 

iiU. 

UAnS tCLllLilT 

.10. 

FAILURE 

FAILURL 

RATt*l0‘ 

AFFLCTtU 

ELLHUITS 

EFFECTS OF FAILURE 

DAAS 

UARd. ETC. 

FAILURE 

UUGUHY 

CuHhuiIs 

11 

Magnetic Flux 
uetec tor 

nlll 

112 

Faulty 
Hag. North 
ref. signal 

20 

Radio Magnetic 
indicator 
and LhSI 

Erroneous Visual Output, 
(bir. GYRO slaved to 
Hag. Fx. Uet.) 

i«0 

3 

The pilot misled uy E-i 
liHlIcators giving cunsistent 
faulty infornmtiun. 






A/P - CPU 

Faulty Hdg, Error 
In Hdg-nold mode 


3 

KMT112 essential uniti 






IIAV - CPU 
IDCC-CPU 

Faulty Navigation 
and fuel/distance 
calculations 


3 

Caiman Filter will output 
excessive wind. Spoiling 
calculations. 




Conclusion: 

Far gi requires mag. dir. indicator and dir. GYRO for 
Co-pilot dir. CYRO and Hag. compass makes HAAS oEI 

IFR, 2 dir. GYROS req. for 

Cat il corvl. 

12 

Slave Acces- 

KA 

SIA 

Dead or 

wrong 

output 

10 

The indicator 

Faulty visual output 

!lo 

1 

RHl and mag. compass info 
available to pilot, elimi- 
nates confusion. 




Conclusion: 

Far vl do not explicitly state the need of a slave accessory. 



Id 

Uirectluoal uYKO 
Scutt T/UtlA 

KSG 

IdS 

Faulty 
ildg. Out- 
put 


Radio umgnetic 
indicator aixi 
LHSI 

Lrroneous visual output 

Yes 

Hdg. valid 
(Amber Light) 

3 

Uir. GYRO essential. See 
See iio. 11 couaeiits. 


A/p - CPU 

m - CPU 
lUCC-CPU 


Faulty Hdg. error in 
litlg, Hotle 

Faulty navigation 
and fuel/distancii 
calculations 


Radio magnetic 
indicator 


Conclusion: 


KZ Fault in 
226 tte Rill 


See fault No, 11 corunents. 

The Ulr. CYRO validity-test coverage * 70*. Probability for undetected failure (u,d'4 • duU’lO**') 
- 4<ld~'' during a 4 hours flight. Still significant! 


33d RMI indicator Erroneous visual output 
GYRO or VOR node 
Far requirement see Ho. 11. OiC. 


liag. cuiipess. Phi and criSl 
provides redundant info tu 
pilot. 






148 


FAILURE 

no. 

OAAS aLHEIlT 

ilO. 

FAILURE 

FAILURE 

RATL*10‘ 

AFFECTED 

ELEMENTS 

EFFECTS OF FAILURE 

UAAS 

WARN. 

ETC. 

FAlLORt 

CATEGORY 

comtehts 

15 

Co-Pilot 
Mag. Flux 
Uetector 

fKHT 

Faulty 
Hag. North 
Ref. Signal 

20 

PNI 

(Slave Acc.) 

Erroneous Visual Output 

Ho 




16 

Slave Accessory 

KA 

51A 

Dead or 

Wrong 

Output 

10 

Slave Acc. 

Erroneous Visual Output 

Ho 


> 1 

1 to the pilot 

17 

Directional 

GYkU 

KG 

102A 

Faulty 

Hdg. 

Output 

3U0 

Pill 

(Slave Acc.) 

Erroneous Visual Output 

Ho 



(2 to co-pilot) 

Id 

PIctural llav. 

indicator 

(P.ii.l.) 

K1 

62SA 

Mag. Card 
Error 

330 

Pill 

Erroneous Visual Output 

No 

j 






Conclusion: 

Loss of co-pilot slaved directional GTRO info, it a minor problem to the OAAS pilot. 

The probability of one failure in tne pilot slaved directional GYRO system and one 
failure in the co-pilot system is ( 4 . 660 . lu~h)> <iu.*h qne probability is remote and tne 
mag. compass and VOR info, available makes the risk very low. 

19 

Turn and Slip 
Instrument 

“RC 

Allen" 

Faulty 
Turn Rate 
Instrument 
Faulty 
Slip 

Instruoent 

ISO 

10 

Turn Rate 
Indicator 

Slip 

Indicator 

Erroneous Visual Output 

Ho 

No 


1 

1 

Turn rate determined from 
roll angle as replacewnt 

Side acceleration sensed by 
pilot acceptable replacement. 


Conclusion : Single slip-skid indicator required for Cat. I and 11 IFR, Dy Far dl. 
Loss of this instrui:ent minor problem. 


20 

Co-Pilot 

Faulty 

ISO 

Turn Rate 

Erroneous Visual Output 

NO 

1 


Turn and Slip 

Turn Rate 


Indicator 





Instruuent 

Instrument 

Faulty 

Slip 

Instrument 

10 

Slip Indicator 

Erroneous Visual Output 

No 

1 



Conclusion: 

Negligible to the pilot and co-pilot. 






149 


FAILUKt 

110. 

DAAS LUMbllT 

uu. 

FAILUKE 

FAlLURt 

KATt*10<' 

AFFtCTfcO 

bLtMFUTS 

EFFECTS OF FAILURE 

DAAS 

WARN. ETC. 

FAILURE 

CATEGORY 

CuFlitllTS 

21 

Yaw Kate GVKO 

GO 

2472 

Faulty 

GVKO 

00 

A/P - CPU 

Worst Case: Rudder trans- 
ient and convergent Yaw 
oscillations. 

tio 

2 

Inconvenient before Y/o 
and A/P disengaged. 


Conclusion : It Is assisted thdt Uie rudder servo slip clutch protects eysinst ddiiyerous slue- and 


amjular-ecclerdtlons and tliet tne A/P dui:)p switch Is an adequate mean to disengaye me 


Angle of Attack 

Type 

Faulty 

r/u. 

lUU 

A/P - CPU 

Stall warning given at Go 

2 

Visual ciicck uf Inc 

iiiensur and 
Inulca lor 

tc 

Ou tput 



non.ialo(, or not given 
wiien needed. 


IndIcuLur and crwsscncck uf 
Speed, vert. Speeu end 


attitude will reveal a 
fault. 


C onclusion : do Far requirement un angle of attack Indicator or stall warning. 


VG Faulty 

JJu 

Attitude Uirect. 

Erroneous "Artificial 

Yes 

2 jJ Pi ten 


Indicator 

■Kirizoii* 

“Vert. GYRO 

and/or 




Valid" 

Roll 




(Ajiiber Li gilt) 

Si'jjial 






A/P - CPU trrurs in control laws. 

Servos 


uifficuU Failure lo uctect, 
especially fur zero output, 
since Aol, n/P and uibi all 
agree. Close ouservance uf 
otner FC-inscruments 
assumeu. 


titSI - CPU krror In predicted Z 

Trendlines 

Conclusion : Far dl requires 1 “Artfflcal itorlzon** for Cat. 1 conditions and 2 fur Cat. 11. 

Tne coverage of the validity test is ** (U.3*4*13d*ld‘^) ' signlf Icaiitl 

Far 23.U2i» e) a itardover failure In tne vertical GYRO roll output propages via 

the A/P cont. laws to roll, yaw aiul pitch axis. Ihls is not acceptable to Far jt wording, 

A kiudlf tcation to eliminate Uie Far-confllct Is reconinemied. 




150 


FmUUKl FAILUKt AFFECTtU UAA^ FAlLUKt 

KU. UA/ii tLiMlKT ilO. FAILUKL KAU*10‘ tieHLilTS iFFtCT:* UF FAILbKC UAKN. tTC. CATLUUKV CuFt'il.ilT^ 


1:4 

Attitude Ulr. 

KCI 

Faulty 

340 

“Artifi. Horiz 

.* Faulty Visual Output 


NO 

2 

A/P tudes and reuundant iiifu 


Indicator 

310 

"Artif. 


Indicator 





available. 


"Artifi. llori.“ 


Horizon* 











Conclusion: 

Far 

requirements, see 

fault No. 23. 









The 

UAAS is OK in this respect. 






Co-Pilot 

KG 

Fault in 

670 

"Artifi. Horiz 

." Faulty Visual Output 


No 

1 

The UAAS pilot can easily 


’TSTmT 

250 

"Artifi. 


Indicator 





determine that the suzjd is 


noriton" 


Horizon" 







faulty. Several redundant 




Unit 







indicators availaole to him. 




Conclusion; 

Loss of the co-pilot Artificial Horizon is a minor problem. 

The suction 






indicator siuws if "power* is available and provides valuable 

info to 






the pilot. 










The probability X of failures in both vertical. GYROS 

and "Artificial Horizons" during a 4 hr. 





flit 

lilt Is ' 4 -(330 + 

340) . 10 X 4 .670* 10 ^ 

or 7 

•10"* . 

The risk for loss 





of 1 

loth "Artificial Horizons* is not negligible 

and may bring tne pilot in 

a 





daimnding situation. 






Cu 

Manifold 

Panel 

Instrument 

Id 

Map Indicator 

Faulty Visual output 


No 

0 

In case of an instrument 


Pressure 


Failure 







failure tnese Instruments 


Instrujiient 








1 

and audiovisual feed backs 











f provide enough info, to 

27 

Lngines KPM 

Panel 

Instrument 

10 

KPH Indicator 

Faulty Visual Output 


Uo 

2 

the pilot to allow correct 


Instrument 


Failure 







failure localization. 

2U 

Lxh. Has. 

Panel 

Instrument 

10 

LGT Indicator 

Faulty Visual Output 


No 

2 



Teiiqi. Instr. 


Failure 








29 

Engine Status 

Panel 

Low Oil 

10 

Eng. Status 

Faulty Visual Output 


No 

3 

1 Faulty Indication of low 


Instrument 2 


Pressure 


Indicator 1 





1 oil pressure may during 




or High 







> some conditions force 




Temp. 







1 the pilot to shut off tne 











1 engine and land A.S.A.P. 

30 

Engine Status 

Panel 

Low Oil 

10 

Engine Status 

Faulty Visual Output 


No 

3 

1 


Instrument 2 


Pressure 


Indicator 2 


• 





or High 
Temt>. 


Conclusion ; Far HI requires with exceiitton of the tCT, the engine Instrumentation. Listed above. (VFK conditions). 
DAAS independent of these instruments. 


151 


FAILURC 

110. 

UAAS CLLMCKT 

NO. 

FAILORE 

FAILURE 

RATE*10‘ 

AFFECTED 

ELEIIENTS EFFECTS OF FAILURE 

UAAS 

UARH. 

FAILURE 
ETC. CATEGORY 

CUHLHTS 

31 

Fuel Flow 
Sensor 1 


Faulty 

Sensor 

5 

Fuel Flow Faulty Visual Output 

Indicator 

Ho 

2 

Fuel qty. Info, available 






lOCC Faulty lOCC Info; 

‘Fuel ReMalning Tine* 
‘Estln. Fuel Remaining* 

No 

2 

‘Estiu. Fuel Keuialnlng“ 
may Indicate too Much 
left, which will Mislead 
the pilot. 




Conclusion: 

Far 91 do not require a fuel flow sensor. 

A faulty sensor olght result In • pilot decision to continue 
Fuel qty. cross checks laay not reveal the situation. It Is a 
pilot Might end up in a flight safety critical situation (4). 

a flight without sufficient fuel, 
low probability (<10*‘) that tne 

32 

Fuel Flow 
Sensor 2 


Faulty 

Sensor 

S 

IDENTICAL TO FAULT NO. 31. 




33 

Fuel (Jty. 

Panel 

Faulty 
Sensor 
L or K 

ISU 

Fuel qty. Faulty Visual Output 

Indicator 

Uo 

2 

UAAS provides independent 
and redundant info, re- 
garding reoMiiiing fuel. 




Conclusion: 

Far 91 requires fuel qty. instruuent for VFK conditions. UAAS supports tne pilot in his 
fuel/dlstance/tine calculations, which lu4jroves the prohabillty of detecting fuel qty. 
instruii;ent failures. 

34 

Honifoltl 

Pressure 

Sensors 

Cele- 

SCO 

Faulty 

Sensor 

3 

A/P - CPU Darning * Ho Hap Fault 

Aaber Light 
Ho Darn. * Hap Fault 

Ho 

1 

Redundant engine instru- 
Ments provides adequate 
info. 

35 

Engine KPM 
Sensors and 
F/V Converter 

NASA 

Faulty 

Sensor 

Id 

A/P - CPU Darning * Ho RPH Fault 

IDCC hiiier Light 

Light Ho Darning * RPH Fault 

Ho 

1 

Redundant engine instru- 
aents provides adequate 
info. 


Conclusi on; OK. 



152 


FAILUKE 

NO. 

DAAS ELCMLMT 110. 

FAILURE 

FAILURE 

RATE*10‘ 

AFFECTED 

ELEFILIITS 

EFFLCTS OF FAILURE 

UAAS 

UARII. ETC. 

FAlLURt 

CATEGURV 

CU-giLilTS 

36 

UIng Flap Pos. 
Sensors 

Faulty 

Hotentlo- 

Meter 

20 

A/P - CPU 
IDCC 

Uarning * OK flap pos. 

Amber Light 

llo Uarning * OK flaps 

Ho 

1 

Regular inspection - 
routines will still be 
followed by tne pilot. 

37 

klevator Triiu 
Pos. Sensor 

Faulty 

Potentio- 

meter 

20 

A/P - CPU 
luCC 

Warning * OK flap pos. 
AiiiLer Light 

Ho Warning * UK flap pos. 

Ao 

1 

Regular inspection - 
routines will still ue 
followed by tne pilot. 

311 

Cowl Flaps 
Pos. Sensors 

Faulty 

Switch 

4 

A/P - CPU 
lUCC 

Warning * UK flap pos. 
Amber Light 

llo Uarning a ok flap pos. 

Ho 

1 

Regular inspection - 
routines will still oe 
followed by tne pilot. 

33 

Landing Gear 
Pos. Sensors 

faulty 
SwI ten 

4 

A/P - CPU 
lUCC 

Warnii» a UK position 
Amber Light 

llo Uarning a OK position 

Ho 

1 

Regular inspection - 
routines will still be 
followed by tne pilot. 

40 

Cabin doors 
Pos. Sensors 

Faulty 
Swi tch 

4 

A/p - CPU 
lUCC 

Uarning a UK position 
Amber Liyiit 

Ho Uarning a uK position 

Ho 

1 

Regular inspection - 
routines will still be 
followed by tne pilot. 

41 

MUX. 

bwitcn ^usltiun 

Faulty 
Swi tch 

4 

A/P - CPU 

luce 

Uarning a uK position 
Amber Light 

ho Warning a OK position 

Ho 

1 

Regular inspection - 
routines will still oe 
followed by tne pilot. 


Conclusion ; Fur requires pUcii trim Indicetor. llncluJed In Lesic InstrunienUtioii) uMli 
provides ajditionil info, to alert the pilot If the A/C status Is It is 
assujned that the today used pre flight cneck routines will he followed. (If not, 
the UAAIi luay Introduced new failure Modes.) 



153 


FAlLUKt 

hO. 

QAAS UtllUlT 

NO. 

FAILUKC 

FAlLbKt 

RAIE*IQ‘ 

AFFtCTtO 

LLtliENTS 

EFFECTS UF FAILUKE 

DAAS 

UARd.ETC. 

FAILUKE 

category 

CuilFlUiTS 

4J 

bub - bwitcn 
and related 
logic 

Control 

Uhoel 

Failed 

Switcn 

d 

A/P - CPU 
Clutches 

CUS-Hode Engaged 
accidently. 

Ho 

3 

A/P and nold nudes dis- 
engaged without pilot 
awareness. No Info. 




Conclusion: 

Far <:3 requests adequate oieans to disengage tne A/P. UK. It Is assusKd tnat the 
pilot by swnitoring the instruments will detect a not desired CUS-sude engageuent and 
that lie will held the cunt, wheel steady when releasing the A/P. 

43 

uo-Around 

Switch 

Control 

Wheel 

Failed 

Switch 

4 

A/P - CPU 

Go-around mode engaged 
‘accidently. 

liO 

<! 

Infonuation given on tne 
annunciator panel. 







Go-around mode not 
engaged when wanted. 


3 

Uenianding iixments to tne 
pilot, especia ly if in tne 
A/P-Appr/GS mode. 


Conclusion : If tlie go-around i.iode not is available when needed a less experienced pilot may 

even create a critical situation. (4’4'1U*‘ x ?,low probability however!) 


44 

Lng./uisen- 

Control 

Failed 4 

A/P - CPU 

Disengage of A/P-modes 

Ho 

2 

Annuncedi 


gage-Switcn 

Wneol 

Switch 

Trlw Motor 

accidently. 





Pitch Trim 




Only Aut. Trim available 


2 

Use Auto.-Trlui 

4S 

ueep-Trin 

Control 

Failed 4 

A/P - CPU 

llo Manual Trim 


2 

use Auto. -Trim 


Pitch 

Wiieel 

Switcn 

Trliii Motor 

Run-away Trim 


3 

Use Auto.’Triiii 




conclusion: The Auto.-Triiii function 

replaces Manual Trlia In A/P kiudes. 



4u 

AU LUpi lot 

Control 

Failed 4A4 

A/p - CPU 

uisengage of A/P 

do 

2 

Aimuncedl 


Uuiiip Switcn 
aiiu helay 

Jiicel 

Switcn 

Clutches 

nodes accidently. 





dot possible to disengage 3 peiuanding in an A/P failure 

A/P. situatiun over power 

possible. 

Conclusio n: Tiie probability for this situation itwolves Loth a sv<ltcli faijure and failure in 

another flight safety critical element. Lstimated probability X “ (4*d*ll)"^ x 4*iuud*lu'“)*l'ld" . UA. 





154 


TAbLt 2 FHEA 


FAlLURt 

NO. 


47 


43 


49 


!)3 


FAlLURt AFFtCTED UAAS FAILURE 

UAAS ELLMLRT NO. FAILURE RATL*10<^ ELEMENTS EFFECTS OF FAILURE WARN. ETC. CATEGORY CU4IILNTS 


Couiiiuiii cation 

Transceivers 

Antennas 

KY- 

196 

Faulty 

Radio 

J3U Coin.iunication llo coi.i.iunication no 1 

Aids 

Assumed Far 9l rules 
followed. 



Conclusion: 

Far 9l requires 1 two-way radio coniiiunications systeiii, Cat 1 and 11. 

UAAS has 3 systems, including antennas. Lie probability of loss of 
cor.iiiunication due to faulty transceivers is for UAAS (4*330'10~^)^ x 4*660' 
(Co-pilot transceiver 660*10'^ fault/FLT hour). OR. 

•10*‘.'6*lu‘“ 

Navigation 

Receivers 

Antennas 

KN- 

63 

Faulty 

VOR 

260 Radio Adpt. box Faulty Navigation Info. No 2 

NAV-CFU 

EIISI - Id'll No or faulty VOR/GS 

Radio Adpt. box directions. 

NAV-CPU 
ENSI - ADI 

Traffic control support 
radar vectoring etc. UAnS 
dead-reckoning. 



Conclusion: 

Far 91 requires appropriate single channel navigation equipment for Cat. 1 conditions 
and dual LOC/GS - receiving systems and a FC-guidance system for Cats conditions. 
UAAS provides triplex receivers and duplex-antennas, including co-pilot bacE up. OK. 

UML receiver 
antenna 

tdt- 

62A 

Faulty 

Receiver 

SOU Radio Adapt, box Faulty Navigation Info. No 2 

NAV-CPU 
LIISI 

Fault detected. VOR 
available . 



Conclusion: 

Far 91 requires UIE if flying at and above 24000 feet. Separate antenna. 

UK. 

Transponder 

Antenna 

KT- 

7CA 

Faulty 

Transpond. 

400 Radio Adapt, box Ho Identification possible No 1 

Traffic control takes 
proper action. 



Conclusion: 

Far 91 do not require transponder. 

The probability for a failure giving information possible to misinterpret by traffic control 
is neglected. Separate antenna. 




155 


^ 1 1 1 ! 1 } 1 1 ! 1 ) ) 


fAILUKt 

IIU. 

UAAS ELUItilT 

IIU. FAILUkt 

FAILUKl 

RAU*1U‘ 

AFFECTED 

ELEMENTS 

EFFECTS OF 
FAILURE 

UAAS 

UARH. tTC. 

FAILUKL 

UTLGUkY 

CUFM.IITS 

51 

Audio headsets 

KMA-24 Fault in 
receiving 
parts 
Fault in 

200 

Earsets, 

speakers 

nlcrophones 

No audio Info. 
Talk, Kav. OH KM 
Ho outgoing talk 

NO 

3 

One-way conn possible 


transnlC 


52 

53 

54 

55 

56 



ADI 

CONCLUSIONt These switches do not represent single point failures In critical single 
channels. OK. Co-pilot backup. 


57 

IDCC keyboard & 
touch P. 


Faulty In- 50 
puts to 
IDCC 

IDCC, CPU 

NAV-CFU 

EHSI 

Erroneous fit. plan, flight 
statue, way points, map, etc. 

NO/YES 3 

Keyed in messages dis- 
played on IDCC before 
entered. Detectable. 

58 

IDCC Selector switches 

Faulty 40 

mode selection 

IDCC, CPU 

Wrong & not changeable "pages" NO 2 

/ Not wanted mode sel- 

ected & not possible 
to select desired mode, 

59 

IDCC CPU, refresh- 
■aemory 6 
display 

Faulty 75 

computation 
& preaen- 300 
tation 

IDCC, CPU 

Wrong or gsrbeled info, 
displayed, not under- 
standable 

YES 2 

BITE 

Pilot misses IDCC AID. 
Pilot detects the 
failure. 



OONCI.USION: The orobabllltv of the dI1oc*s not »*Na 

in this respect! The BITE detects about 801 of all computer 
of undetected failures from 75*4*lo“** • 3 * 10 “^ to 0 . 2 * 3 » 10 *^ 

by IDCC or EHSI checks 
fsilures. wiilch reduces 
- .6*l0*^/4 hrs. 

la very low. Ok 
the probability 

60 

EHSI Selector switches 

Faulty 20 

mode 

selection 

EHSl-CPU 

EHSI 

Wrong & not changeable modes 
or scales. 

NO 

Not posaible to select 
desired mode. 

61 

EUSl, CPU & BIM, 

refresh-uieinory 

and 

display 


Faulty 75 

computation 

and 

presentation 300 


Wrong or garbled 
info, displayed 

YES 2 

BITE 

Pilot misses EHSI info. 
Fault detect possible 
by pilot. 



The probability for loss of EHSI is ^400*4*10 - l.b-lO*”* per 4 fit. hrs 

The possibility of reconfiguration (BIH -I- CPU) reduces the probability to 

' 4*325'10‘^ - l.3M0"^ 

assuming 100% 


BIIT; coverage. 



156 


FAILUUl 

no. UAAS UUtLUT 


62 Annunciator 
panel & drive 
clrculta 


FAILURE AFFECTED 
FAlLUKi KAU*10^ ELEMENTS 


EFFECTS OF 
FAILURE 


LAAS FAILUKL 

uak.4. etc. CAULOKI 


CONCLUSION : ReconFlguraclon of the noat reliable eleaenta doea not improve the rlak altuetlon very much! 

NAV.*faciliCiea makea DAAS OK. BITS reduces undetected computer fellurea to 15*10*^ per fit. 
60*10"^ per flight. 


KAP« Fault in 30 

31S panel or 

driv. circ. 


Annunciator Hiaaed or wrong mode atatua NO 

panel info. 


CONCl.USTON : FAB 23,1329 requests meana to inform the pilot what A/D -NAV, 

mode is engaged. Switch positions are not acceptable. DAAS 
OK in this respect. 


Mode controller KMC* 
and drive clr* 340 
cults 


Faulty trim 60 
or hdg sel. 
knob 

Faulty tog* 160 
gle switches 


Faulty solen* 100 
old switches 


A/F'CEU No trlmAidg ael avail, 

various parts Trim/hdg sal activated 
of DAAS accidentally. 

Engage not vanted mode 
Disengage vanted mode 
Not defined mode (a.g, 
ATTetALT) 


Accidental engage or dlsen* 
gage of A/F (Y/D) nodea 


CONCLUSION : FAR 23 requirement on acceasibtltty of control# met. OK, 


66 Auto pilot 

yaw clutch, servo 

67 Roll Clutch, servo 


68 Pitch clutch, servo 


69 Trim clutch, servo 


70 Clutches common 
logic 


Fault in any 70 
hardware 


Control aurface Servo not movable 

Servo run away clutch not 
locking clutch allw, 
locked 


Faulty S 
circuitry 


Control aur* 
faces 


Trim not moveable 
Trim run away 


None of the clutchea en* 
gagea. All clutchea 
stay engaged. 


Yea 

Trim 

Bu>nitor 


The co*pilot 
hr, or 


Might temp, mislead 
the pilot. FC and 
NAV instruments will 
tell the truth, how* 


The pilot overrides 
and disengages the 
system. 

Demanding if a mode 
change takes place 
at busy part of the 
flight, or a mode just 
quietly opens up. 


No Y/D avail. 

Pilot override 
Disengage Y/D 

No roll A/P avail. 
Pilot override 
Disengage A/P. 

No pitch A/P avail. 
Pilot override. 
Disengage A/P. 

Monitor detects trim 
runaways open circuit- 
ries, but not motor 
failures (e.g., only 
one direction.) 

No A/P engaged. Pilot 
must override in 3 


1 


157 


tjAAii LUmilT 


iiU. FAILUKE 


CONCLUSION! i 


FAILUKL 

KATE*lu‘ 


AFFECTED 

ELEMENTS 


EFFECTS OF 
FAILURE 


DAAS 

UAKtI. ETC. 


FAILLKl 

CATtCUKV 


FAR 23 net regarding poaelbllUlai to override. FAR 23 requirement on fault In only one channel not met. 
The pilot might end up In a critical altuatlon If one or more of the aervoa or of Che cluCchea ace not 
operational. Ho warning or Info given. The pilot la in a critical altuatlon If he hat Co override 
all 3 aervoa. The probability of not being able to engtee all clutchea la/'^lp'A/A hra. The probability 
of not being able Co diaengage all clutchea lt<^ (A'5'10 ®) a (4»4*10"“)^ < 10"“/4 hra. 

The probability of a critical altuatlon la negligible! OK, 


A/P'l/O Fault In any Almost all Erroneoua: YES 

CPU BIN hardware 60 -t- 12 elements! Mode status BITE 

A/D, D/A, MUX 60 '• F/D-conoands 

scrvO'Coamanda 

Fit warning BITE 

crulae^perform. 

fuel distance 

m POSSIBLE FAILURE MODES | HUX [ A/D I CPU MEMORY [ P/jTI ICDC Info 

signals high or low x x x EIISI map 

" zeros XX x Annunciator 

faulty XX X x x Error may affect 

£gte signals * — 1 . j x I t I only one function, 

e.go, door warn* 

Ing, or many 
elements, e.g. D/A 
failure cooinanding 
3 servos hardover. 

The bite coverage Is about 9SZ. It Is very likely that BITE will detect even more of the severe 
requested to bring the probability of an undetected failure down to 10 v4 hrs. 


Fault In any 
hardware 60 12 

60 


U1 signals high or low 
" zeros 

" faulty 

Separate signals ** 


D/A 

MU> 

X 


X 


X 

X 


The A/P*l/0 computer 
is e key element In 
DAAS. Failure effects 
of all categories may 
occur. For Instance, 
a CPU failure may 
affect separate ln> 
•tructlona, e.g, shift, 
which will spoil sit 
mult, and dlv. A 
D/A failure may cause 
all outputs to go high, 
Including sll servos 
and ADI comnand bars. 


A BITE coverage of 99.9% Is 


CONCLUSION: FAR 23 requirement on disengagement and posalblllty to override la met. (The added lG-dump>swltch Is helpful). 

FAR 23 requirement on only single exlx hardover failure Is violated. It la probable that failures occur wlilch, 
detected or not by the BITE, will cause transients and shut down major parta of the DAAS. The DAAS co-pilot 
will. In such altuatlona, take over and DAAS will be dlaengaged. 

Actions to resolve the FAR conflict Is recommended. 


NAV FLT/PLAN 
CPU & BIH 


Fault In 
any hard* 
ware 


A/P comm, bars 
A/P aervoa 
EHSl 
IDCC 

NAV I, 2 
BUBBLE MEM. 


ErroQ. com. references 
Faulty nap 
Faulty HAV info. 

Wrong frequencies 
Store faulty KAVAID 
data 


The probability of faulty KAV calculations Isa.^ 4*72*10 «i«^3*lo' 
The probability of faulty NAV calculations 4*72*lO‘^(l-|^) 


Undatected erroneous 
NAV computations may, 
during a fairly long 
time. Introduce A/C 
position errors. Several 
indicators may give con* 
•latently faulty info. 
Loss of NAVAID after a 
detected fault otay also 
bring problems to an 
unexperienced pilot. 


0 without reconfiguration. 

) + (4*72*10"'^) , (1-^q)a.> . 6*10 ^ with reconfiguration. 


Reconfiguration Improves the availability of the NAV calculations 5 times. Significant improvements requires 
better BITE coverage, 

DAAS with co*pllot OK. 




158 



76 Bus controller Any part 60 + 12 

and reconfig. failure 

CPU + BIM 


All DAAS Power up toode. One or more YES 

computers & faults In one or store of the BITE 
functions CPU's when loading the pro- 

grams 

Normal Mode 

1. Misinterpretation of validity 
signals and shutdown of fault' 
free CPU. 

2. Mo warn, given for some BUS-CPU and 
lOCC'CPU failures. 

3. Bus control failures may result 
in missed information or com- 
plete bus traffic breakdown. 

Reconfiguration Mode 

The CPU may fall to racon' 
figure. 


1 These failures are 
expected to be 
detected by BITE 
or the pilot. 

These failures might result 

3 in a demanding situation if 

they occur during a busy 
flight phase. 

3 

3 Loss of most of the DAAS 

functions in a busy flight 
phase is demanding. 

2 Results in loss of EUSl 
or NAV computer. 


77 ABB Bus Faults in I EQUAL TO BUS CONIROL FAILURES NO. 76 

wires or con* 
nectors 

CONCLUSION : Failures in the bus controller may affect more than I channel. 

The DAAS co-pilot provides backup, making DAAS OK. 


1 


159 


^ \ 1 1 1 1 ^ ^ 1 1 ] 1 ] ] 1 


) ) ) 


TAULt 2 FMU 


FAILUKL 

( 10 . 


OAAS ELkllLNT 


110 . 


FAILURE 


FAILUkL 

RATE^IO^ 


AFFECTED 

ELEMENTS 


EFFECTS OP 
FAIUIRE 


UAAS 

UAKd. 


ETC. 


failure 

CATEbOKY 


COIIMLilTb 


78 


EEPROM Memory Any part 300 All DAAS All klnda of failures night YES, Hera 

failure conputers occur fron single Instruction sun checks 

and func- failure to all CPU instructions la the CPU's 

tlons faulty. 


CONCLUSION: Failures affecting more than 1 channel may happen, FAR 23 violation. The most severe failure 

Is EEP ROM memory failure in air, followed by a temporary power loss during a demanding phase 
of the flight. The probability for this to happen Is estimated at less than (300<4*10’^) x (S0*4*10*^) 
The probability for critical failures to occur due to the EEPKOMmemory Is low enough to make DAAS OK. 
Action Is recommended to resolve the FAR conflict. 


A fault happening before 
flight will be detected 
by the mem. sum, check 
or by the pilot before 
takeoff, A failure dur- 
ing flight followed by a 
temp, power loss may, in 
a worse case, mean loss 
of the DAAS. 


' 2«10 


-7 


79 


Cassette 


Any part SOO eeprom memory Tlie failure effects are similar YES 3 

failure toEEPROMmemory failures. CPU mem, 

sum, check 

CONCLUSION : Cassette failures will very likely be.detected by BIT or the pilot before takeoff, 
cassette failure is Judged to be <10*^, DAAS OK. 


A fault will be detected 
before flight. 

The probability of an undetected 


80 Alternator 
(Batt.) 
26VDC bus 


81 Avionics bus 
28 VDC 


82 DAAS A and B 
28 VDC bus 


83 DAAS bus US 
and 26 VAC 


Alternators, ^.1 
Battexy, bus 
failures 


All electrical Shuts down all major DAAS 
units except sensors. 

DAAS-buses 


Obvious 


4 


Very critical situation. 


CONCLUSION ; No FAR 23 or 91 requirements on avionics el. power bus redundancy or failure probability. 

It Is assumed that the pilot quickly disengages a faulty A/C battery If It falls when any alternator Is OK. 

The probability^ of lots of the 28 VDC bus during 4 fit. hrs. It thus! 

^ Alt. A Alt. B xy{ Batt. +>{ bua/^^(200*4‘lo’*>* a (100‘4*10*®) + .1'10'*a/.1"10"* 

NOTE: The battery will be drained In less than 1 fit. hr. (Before the battery Is drained, the probability of 

Open or shorted bus la the most likely reason for electrical power loss). 

Connections, ^ Audio HAV, Loss of couinunlcatlon. NO 4 Affects both the pilot 

switches bus • DME, X-ponder, and co-pllot coninun. NAV 

equipment, 

CONCLUSION : The reduncant lines and switches make the avionics bus as safe as the alternator 28VDC bus, 

(Pilot and co-pllot Instrumentation electrical power should. In principal, be separated.) 


Connections, /u,5 
switches, 
dloda, battery, 
buses 


DAAS CPU's Shuts down DAAS 
memories, 

EHSI, IDCC, 

FCS, etc. 


YES 3 

BITE 


Reliability degradation 
Is due to single switches - 
and lines. 


CONCI^USIOW: DAAS with co-pllot, demanding 3, Still low probability of electrical power loss' 


Lines, 10 
switches • 
converters 


DIR & vert, gyro Errors or no attitude refer* YES 3 

ADI, RMI, ADC ences, etc. "VALIDITY" 

sign condlt. 


CONCLUSION : Loes of DAAS-AC judged OK, 





160 


lAlLUKL 

NU. 

UMAS LlLllLiiT 

lIU. 

FAlLUKt 

I'AILbKk 

AFFECTED 

ELEMENTS 

EFFECTS OF 
FAILURE 

HAAS 

klAkll. LTC. 

FAILUKl 

CaUUUKY 

LuFlriLIIT:i 

64 

DAAS 15VDC 


Lines 

switches 

inverter 

15 

ANALOG I/O 

Most sensor Inputs missing. 

YES 

BITE 

3 


65 

DAAS 12VDC 


It 

18 

Bubble Men. 

Reconfiguration not possible. 

NO 

3 

Probability of 
reconfiguration low. 

66 

DAAS 5VDC 


II 

15 

IDCC 

CPU's 

Shut down of DAAS 

Obvious 

3 



CONCI.USION ; Failures 84 and 86 can be accepted in lAAS due to the co-pilot backup. 
FAR 23 is not net for electrical power failures 62 to 86. 

Actions are recoranended. 


ADDITION DAAS Soft- 

ALL 

CPU *8 

unknown 

A/P, servos. 

Any type of erroneous conn. NO 

3 

ware 




EllSI, IDCC, etc. 

and Information. 



CONCLUSION ; The DAAS co-pllot will take over and D4AS will be disengaged. OK. 


1 I J ' 





